Share via


Implementing Registry-based Policy

The recommended way to provide policy for your application is to implement registry-based policy.

Before you implement registry-based policy, you should understand how and when policy is applied, as well as the behavior of the policy.

When deploying policy, an administrator can set a policy to one of the following states:

  • Enabled
  • Disabled
  • Not Configured

Your specification should document the behavior of these policy states.

When implementing registry-based policy in an application, use the following procedure.

To implement registry-based policy

  1. Select the registry location, naming and data types for keys
  2. Select the values that can be assigned to your registry keys
  3. Modify your component to check the Policy key
  4. Develop the user interface
  5. Select the method of refresh processing

Select the registry location, naming and data types for keys

Registry keys for your policy settings must be stored in one of the following Policy keys:

HKEY_CURRENT_USER\Software\Policies (preferred location)

HKEY_LOCAL_MACHINE\Software\Policies (preferred location)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

You can create registry keys in the folder of your choice, at one of the previously listed Policy keys. However, it is recommended that you use the same directory structure of any associated preferences that you have under the Policies key that you suggest.

For example, if your component stores preferences in the location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\    My Component Name

then you should store the associated policy settings in the location:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\My Component Name

Select the values that can be assigned to your registry keys

Choose an appropriate registry value for each of the policy states that your code will search for, under the key you have selected.

Consider the following when selecting a value:

  • The Enabled and Disabled policy states should have an associated registry key and value.
  • The Not Configured policy state should not write any value to the registry.
  • The only data types that can be stored to the registry keys are the REG_DWORD, REG_SZ, and REG_EXPAND_SZ types.

Modify your component to check the Policy key

Modify your component to check the Policy key for the registry key and associated values that you select for use with your policy.

In situations where you have both a Policy registry key and a Preference registry key, perform the following tasks:

  • Read the policy value, using the standard registry functions.
  • If a Policy key is not found, read the preference value, also using the standard registry functions. Policy keys always take priority over Preference keys.
  • If no policy exists, then default in the code. In most instances you will read an associated preference at this point, if a preference exists.

For more information and a code example that shows how your application can check the registry for policy and preference information, see Checking the Registry for Policies and Preferences.

Develop the User Interface

Verify that the user-interface (UI) for your component adheres to any policies that you create. For example, if your policy removes or disables functionality, this must be reflected in the UI.

Select the Method of Refresh Processing

Your application must be aware of policy refreshes.

The component that you are policy-enabling should check the appropriate Policy keys when your component starts. It should also check the keys during a policy refresh because assigned policy settings can change during this process. The system periodically refreshes policy; by default, policy is reapplied every 90 minutes. On domain controllers, the system reapplies policy every 5 minutes

If you have a policy setting that modifies the user-interface (UI), you must monitor when a policy refresh occurs because your application will need to refresh the UI display.

The Group Policy API supports two methods that you can use to ensure that your application is aware of policy refreshes:

First, you can call the RegisterGPNotification function. RegisterGPNotification enables an application to receive notification when there is a change in policy, typically from a background thread. For more information and a code example that shows how to use this method, see Registering for Policy Refresh Notification.

Second, you can use to make your application aware of policy refreshes is to watch the WM_SETTINGCHANGE window message with the lParam parameter set to "Policy". For more information and a code example that shows how to use this method, see Receiving a Policy Refresh Message.

For more information and code examples, see the following topics: