Bewerken

Delen via


Policy CSP - ADMX_DnsClient

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

DNS_AllowFQDNNetBiosQueries

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries

Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.

  • If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition to single-label names.

  • If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified domain names.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_AllowFQDNNetBiosQueries
Friendly Name Allow NetBT queries for fully qualified domain names
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name QueryNetBTFQDN
ADMX File Name DnsClient.admx

DNS_AppendToMultiLabelName

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AppendToMultiLabelName

Specifies that the DNS client may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.

A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.

For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.

If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com" second if the first query fails.

  • If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.

  • If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.

  • If you don't configure this policy setting, the DNS client will use its local settings to determine the query behavior for unqualified multi-label names.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_AppendToMultiLabelName
Friendly Name Allow DNS suffix appending to unqualified multi-label name queries
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name AppendToMultiLabelName
ADMX File Name DnsClient.admx

DNS_Domain

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_Domain

Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP.

To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.

  • If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by the DNS client.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied connection specific DNS suffix, if configured.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_Domain
Friendly Name Connection-specific DNS suffix
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_DomainNameDevolutionLevel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_DomainNameDevolutionLevel

Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.

With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.

The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.

Devolution isn't enabled if a global suffix search list is configured using Group Policy.

If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:

The primary DNS suffix, as specified on the Computer Name tab of the System control panel.

Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.

For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.

If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.

For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.

  • If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.

  • If this policy setting is disabled, or if this policy setting isn't configured, DNS clients use the default devolution level of two provided that DNS devolution is enabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_DomainNameDevolutionLevel
Friendly Name Primary DNS suffix devolution level
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name EnableDevolutionLevelControl
ADMX File Name DnsClient.admx

DNS_IdnEncoding

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_IdnEncoding

Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the DNS client is on non-domain networks with no WINS servers configured.

  • If this policy setting is enabled, IDNs aren't converted to Punycode.

  • If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the DNS client is on non-domain networks with no WINS servers configured.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_IdnEncoding
Friendly Name Turn off IDN encoding
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name DisableIdnEncoding
ADMX File Name DnsClient.admx

DNS_IdnMapping

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_IdnMapping

Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.

  • If this policy setting is enabled, IDNs are converted to the Nameprep form.

  • If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_IdnMapping
Friendly Name IDN mapping
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name EnableIdnMapping
ADMX File Name DnsClient.admx

DNS_NameServer

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_NameServer

Defines the DNS servers to which the DNS client sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.

To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.

  • If you enable this policy setting, the list of DNS servers is applied to all network connections used by the DNS client.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied list of DNS servers, if configured.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_NameServer
Friendly Name DNS servers
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_PreferLocalResponsesOverLowerOrderDns

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns

Specifies that responses from link local name resolution protocols received over a network interface that's higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).

  • If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.

  • If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.

Note

This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_PreferLocalResponsesOverLowerOrderDns
Friendly Name Prefer link local responses over DNS when received over a network with higher precedence
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name PreferLocalOverLowerBindingDNS
ADMX File Name DnsClient.admx

DNS_PrimaryDnsSuffix

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_PrimaryDnsSuffix

Specifies the primary DNS suffix used by the DNS client in DNS name registration and DNS name resolution.

To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.

Important

In order for changes to this policy setting to be applied on the DNS client, you must restart Windows.

  • If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.

You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client uses the local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_PrimaryDnsSuffix
Friendly Name Primary DNS suffix
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\System\DNSClient
ADMX File Name DnsClient.admx

DNS_RegisterAdapterName

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegisterAdapterName

Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.

By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.

  • If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.

For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.

Important

This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client won't register any A and PTR resource records using a connection-specific DNS suffix.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_RegisterAdapterName
Friendly Name Register DNS records with connection-specific DNS suffix
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name RegisterAdapterName
ADMX File Name DnsClient.admx

DNS_RegisterReverseLookup

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegisterReverseLookup

Specifies if the DNS client will register PTR resource records.

By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.

  • If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.

To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:

Don't register: the DNS client won't attempt to register PTR resource records.

Register: the DNS client will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.

Register only if A record registration succeeds: the DNS client will attempt to register PTR resource records only if registration of the corresponding A records was successful.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use locally configured settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_RegisterReverseLookup
Friendly Name Register PTR records
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_RegistrationEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationEnabled

Specifies if DNS dynamic update is enabled. DNS clients configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.

  • If you enable this policy setting, or you don't configure this policy setting, the DNS client will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.

  • If you disable this policy setting, the DNS client may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_RegistrationEnabled
Friendly Name Dynamic update
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name RegistrationEnabled
ADMX File Name DnsClient.admx

DNS_RegistrationOverwritesInConflict

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationOverwritesInConflict

Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.

This policy setting is designed for DNS clients that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other DNS clients.

During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.

  • If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.

  • If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_RegistrationOverwritesInConflict
Friendly Name Replace addresses in conflicts
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name RegistrationOverwritesInConflict
ADMX File Name DnsClient.admx

DNS_RegistrationRefreshInterval

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationRefreshInterval

Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies DNS clients performing dynamic DNS updates.

DNS clients configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.

Warning

If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.

To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.

  • If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by DNS clients that receive this policy setting.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied setting. By default, DNS clients configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_RegistrationRefreshInterval
Friendly Name Registration refresh interval
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_RegistrationTtl

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationTtl

Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by the DNS client to which this policy setting is applied.

To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).

  • If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by the DNS client.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_RegistrationTtl
Friendly Name TTL value for A and PTR records
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_SearchList

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SearchList

Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.

An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".

DNS clients that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".

To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.

  • If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.

  • If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_SearchList
Friendly Name DNS suffix search list
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_SmartMultiHomedNameResolution

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SmartMultiHomedNameResolution

Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.

  • If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.

  • If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_SmartMultiHomedNameResolution
Friendly Name Turn off smart multi-homed name resolution
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name DisableSmartNameResolution
ADMX File Name DnsClient.admx

DNS_SmartProtocolReorder

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SmartProtocolReorder

Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).

  • If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.

Note

This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_SmartProtocolReorder
Friendly Name Turn off smart protocol reordering
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name DisableSmartProtocolReordering
ADMX File Name DnsClient.admx

DNS_UpdateSecurityLevel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UpdateSecurityLevel

Specifies the security level for dynamic DNS updates.

To use this policy setting, click Enabled and then select one of the following values:

Unsecure followed by secure - the DNS client sends secure dynamic updates only when nonsecure dynamic updates are refused.

Only unsecure - the DNS client sends only nonsecure dynamic updates.

Only secure - The DNS client sends only secure dynamic updates.

  • If you enable this policy setting, DNS clients that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.

  • If you disable this policy setting, or if you don't configure this policy setting, DNS clients will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_UpdateSecurityLevel
Friendly Name Update security level
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
ADMX File Name DnsClient.admx

DNS_UpdateTopLevelDomainZones

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UpdateTopLevelDomainZones

Specifies if the DNS client may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".

By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.

  • If you enable this policy setting, the DNS client sends dynamic updates to any zone that's authoritative for the resource records that the DNS client needs to update, except the root zone.

  • If you disable this policy setting, or if you don't configure this policy setting, the DNS client doesn't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the DNS client needs to update.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_UpdateTopLevelDomainZones
Friendly Name Update top level domain zones
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name UpdateTopLevelDomainZones
ADMX File Name DnsClient.admx

DNS_UseDomainNameDevolution

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UseDomainNameDevolution

Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.

With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.

The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.

Devolution isn't enabled if a global suffix search list is configured using Group Policy.

If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:

The primary DNS suffix, as specified on the Computer Name tab of the System control panel.

Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.

For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.

If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.

For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.

  • If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.

  • If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DNS_UseDomainNameDevolution
Friendly Name Primary DNS suffix devolution
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name UseDomainNameDevolution
ADMX File Name DnsClient.admx

Turn_Off_Multicast

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/Turn_Off_Multicast

Specifies that link local multicast name resolution (LLMNR) is disabled on the DNS client.

LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a DNS client to another DNS client on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.

  • If you enable this policy setting, LLMNR will be disabled on all available network adapters on the DNS client.

  • If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Turn_Off_Multicast
Friendly Name Turn off multicast name resolution
Location Computer Configuration
Path Network > DNS Client
Registry Key Name Software\Policies\Microsoft\Windows NT\DNSClient
Registry Value Name EnableMulticast
ADMX File Name DnsClient.admx

Policy configuration service provider