Policy Catalog

admin@pluris.local
A
Policy

Policy Catalog

Windows Group Policy settings with their Linux equivalents. Every row is partitioned into Computer / User scope like Windows GPEdit. To bind a policy to a target, open a Configuration Group.

Policy CatalogConfiguration GroupsModules
172 of 172 139 computer 32 user

Policy Catalog

Windows Group Policy settings with their Linux equivalents. Categorisation mirrors the GPEdit tree so admins migrating from AD find the same levers in the same place. Use Columns to add modular-shape, signing, and category fields to the table.
Computer Configuration › Security Settings › Account Policies › Password Policy
6 policies
Minimum password length
sec.account.password.min-length
sec.account.password.min-length
Computer
Computer Configuration › Security Settings › Account Policies › Password Policy
Bundled
Minimum password length
Computer Configuration | … | Security Settings | Account Policies | Password Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Password Policypam_pwquality minlen= / /etc/security/pwquality.conf
Minimum number of characters required for local user passwords. On Linux this is enforced at password-change time by pam_pwquality / pam_passwdqc; it does not affect existing passwords until they next change.
Linux: pam_pwquality minlen= / /etc/security/pwquality.conf
0
Password history remembered
sec.account.password.history
sec.account.password.history
Computer
Computer Configuration › Security Settings › Account Policies › Password Policy
Bundled
Enforce password history
Computer Configuration | … | Security Settings | Account Policies | Password Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Password Policypam_unix remember= / /etc/security/opasswd
Number of previous passwords the system refuses to reuse. Requires the PAM unix module to be configured with the remember= option, which stores hashed history in /etc/security/opasswd.
Linux: pam_unix remember= / /etc/security/opasswd
0
Maximum password age (days)
sec.account.password.max-age
sec.account.password.max-age
Computer
Computer Configuration › Security Settings › Account Policies › Password Policy
Bundled
Maximum password age
Computer Configuration | … | Security Settings | Account Policies | Password Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Password Policy/etc/login.defs PASS_MAX_DAYS + chage -M
Days after which a password must be changed. Applied as a default for new accounts via login.defs and to existing accounts via chage.
Linux: /etc/login.defs PASS_MAX_DAYS + chage -M
0
Minimum password age (days)
sec.account.password.min-age
sec.account.password.min-age
Computer
Computer Configuration › Security Settings › Account Policies › Password Policy
Bundled
Minimum password age
Computer Configuration | … | Security Settings | Account Policies | Password Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Password Policy/etc/login.defs PASS_MIN_DAYS + chage -m
Days a password must be kept before the user can change it again. Prevents users cycling through history to reuse a favourite password.
Linux: /etc/login.defs PASS_MIN_DAYS + chage -m
0
Password must meet complexity requirements
sec.account.password.complexity
sec.account.password.complexity
Computer
Computer Configuration › Security Settings › Account Policies › Password Policy
Bundled
Password must meet complexity requirements
Computer Configuration | … | Security Settings | Account Policies | Password Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Password Policypam_pwquality / /etc/security/pwquality.conf
Requires mix of character classes and rejects dictionary words and the username. Maps to pwquality credit/class requirements (ucredit, lcredit, dcredit, ocredit, minclass) and dictcheck.
Linux: pam_pwquality / /etc/security/pwquality.conf
0
Store passwords using reversible encryption
sec.account.password.reversible-encryption
sec.account.password.reversible-encryption
Computer
Computer Configuration › Security Settings › Account Policies › Password Policy
Bundled
Store passwords using reversible encryption
Computer Configuration | … | Security Settings | Account Policies | Password Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Password Policyn/a (always disabled on Linux)
Windows-only concept: stores a decryptable password copy. Not implementable on Linux — local accounts always use one-way hashes (yescrypt/sha512). Listed for parity; enforcement on Linux always reports "disabled".
Linux: n/a (always disabled on Linux)
0
Computer Configuration › Security Settings › Account Policies › Account Lockout Policy
4 policies
Account lockout threshold (failed attempts)
sec.account.lockout.threshold
sec.account.lockout.threshold
Computer
Computer Configuration › Security Settings › Account Policies › Account Lockout Policy
Bundled
Account lockout threshold
Computer Configuration | … | Security Settings | Account Policies | Account Lockout Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Account Lockout Policypam_faillock deny= / /etc/security/faillock.conf
Number of failed login attempts that triggers a lockout. Enforced across local logins, SSH, and desktop greeters via pam_faillock.
Linux: pam_faillock deny= / /etc/security/faillock.conf
0
Account lockout duration (seconds)
sec.account.lockout.duration
sec.account.lockout.duration
Computer
Computer Configuration › Security Settings › Account Policies › Account Lockout Policy
Bundled
Account lockout duration
Computer Configuration | … | Security Settings | Account Policies | Account Lockout Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Account Lockout Policypam_faillock unlock_time=
How long a locked account stays locked before it auto-unlocks. 0 means locked until admin unlock.
Linux: pam_faillock unlock_time=
0
Reset lockout counter after (seconds)
sec.account.lockout.reset-after
sec.account.lockout.reset-after
Computer
Computer Configuration › Security Settings › Account Policies › Account Lockout Policy
Bundled
Reset account lockout counter after
Computer Configuration | … | Security Settings | Account Policies | Account Lockout Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Account Lockout Policypam_faillock fail_interval=
Sliding window in which failed attempts accumulate. After this interval the counter resets to zero.
Linux: pam_faillock fail_interval=
0
Apply lockout to root / administrator
sec.account.lockout.even-root
sec.account.lockout.even-root
Computer
Computer Configuration › Security Settings › Account Policies › Account Lockout Policy
Bundled
Allow Administrator account lockout
Computer Configuration | … | Security Settings | Account Policies | Account Lockout Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Account Lockout Policypam_faillock even_deny_root
Whether lockout policy applies to root. Dangerous on systems with no console fallback — lockout can brick remote-only servers.
Linux: pam_faillock even_deny_root
0
Computer Configuration › Security Settings › Account Policies › Kerberos Policy
5 policies
Maximum user ticket lifetime (hours)
sec.kerberos.ticket-lifetime
sec.kerberos.ticket-lifetime
Computer
Computer Configuration › Security Settings › Account Policies › Kerberos Policy
Bundled
Maximum lifetime for user ticket
Computer Configuration | … | Security Settings | Account Policies | Kerberos Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Kerberos Policy/etc/krb5.conf ticket_lifetime
How long a TGT is valid before the user must re-authenticate. Applied via /etc/krb5.conf on machines joined to a realm via SSSD or Kanidm.
Linux: /etc/krb5.conf ticket_lifetime
0
Maximum ticket renewal lifetime (days)
sec.kerberos.renew-lifetime
sec.kerberos.renew-lifetime
Computer
Computer Configuration › Security Settings › Account Policies › Kerberos Policy
Bundled
Maximum lifetime for user ticket renewal
Computer Configuration | … | Security Settings | Account Policies | Kerberos Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Kerberos Policy/etc/krb5.conf renew_lifetime
Total window a TGT can be renewed without re-authenticating. Pass 0 to disallow renewal entirely.
Linux: /etc/krb5.conf renew_lifetime
0
Maximum service ticket lifetime (minutes)
sec.kerberos.service-ticket-lifetime
sec.kerberos.service-ticket-lifetime
Computer
Computer Configuration › Security Settings › Account Policies › Kerberos Policy
Bundled
Maximum lifetime for service ticket
Computer Configuration | … | Security Settings | Account Policies | Kerberos Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Kerberos Policykrb5.conf default_tgs_lifetime
Lifetime of service tickets (TGS). Lower values reduce impact of ticket theft, higher values reduce KDC load.
Linux: krb5.conf default_tgs_lifetime
0
Maximum tolerance for clock synchronisation (minutes)
sec.kerberos.clockskew
sec.kerberos.clockskew
Computer
Computer Configuration › Security Settings › Account Policies › Kerberos Policy
Bundled
Maximum tolerance for computer clock synchronization
Computer Configuration | … | Security Settings | Account Policies | Kerberos Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Kerberos Policykrb5.conf clockskew
Acceptable clock drift between client and KDC. If exceeded, Kerberos refuses authentication — ensure chrony/timesyncd is healthy.
Linux: krb5.conf clockskew
0
Enforce user logon restrictions
sec.kerberos.logon-restrictions
sec.kerberos.logon-restrictions
Computer
Computer Configuration › Security Settings › Account Policies › Kerberos Policy
Bundled
Enforce user logon restrictions
Computer Configuration | … | Security Settings | Account Policies | Kerberos Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Account Policies|Kerberos PolicyKDC-side (MIT krb5 / Heimdal)
KDC validates every service ticket request against user account policy (disabled, expired, logon hours). Corresponds to KDC_OPT_ENFORCE; maps to MIT/Heimdal KDC config on Linux KDCs only — on GP-joined clients this setting is informational.
Linux: KDC-side (MIT krb5 / Heimdal)
0
Computer Configuration › Security Settings › Local Policies › Audit Policy
9 policies
Audit account logon events
sec.audit.account-logon
sec.audit.account-logon
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit account logon events
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd rules on PAM authentication
Log successful and failed validations of an account's credentials (Kerberos AS/TGS, NTLM). On Linux maps to auditd rules on pam_unix/pam_sss and sshd PAM stack.
Linux: auditd rules on PAM authentication
0
Audit account management
sec.audit.account-mgmt
sec.audit.account-mgmt
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit account management
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd -w /etc/passwd -p wa
Log account creation, modification, deletion, enabling/disabling, group membership changes. Mapped to auditd watches on /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow.
Linux: auditd -w /etc/passwd -p wa
0
Audit directory service access
sec.audit.directory-access
sec.audit.directory-access
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit directory service access
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policy389-ds / OpenLDAP access log
Log access to directory-service objects. On Linux only meaningful on 389-DS / Kanidm / OpenLDAP servers — maps to their native access log.
Linux: 389-ds / OpenLDAP access log
0
Audit logon events
sec.audit.logon
sec.audit.logon
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit logon events
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd + systemd-logind
Log each user logon / logoff on the local machine (console, SSH, display manager). Distinct from account-logon which is KDC-side.
Linux: auditd + systemd-logind
0
Audit object access
sec.audit.object-access
sec.audit.object-access
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit object access
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd -w <path> -p rwxa
Log access to individual filesystem objects, registry entries, or named resources that have an audit entry set. On Linux set via auditd path watches.
Linux: auditd -w <path> -p rwxa
0
Audit policy change
sec.audit.policy-change
sec.audit.policy-change
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit policy change
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd policy watches
Log changes to security policy, user rights, audit config, trust relationships. Linux equivalent: watches on /etc/sudoers, /etc/audit/, /etc/security/, SELinux/AppArmor policy.
Linux: auditd policy watches
0
Audit privilege use
sec.audit.privilege-use
sec.audit.privilege-use
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit privilege use
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policysudoers log_file + auditd capset
Log use of sensitive privileges (e.g. backup/restore, act as OS). Linux equivalent: sudo logging and auditd rules on capability-granting syscalls (capset).
Linux: sudoers log_file + auditd capset
0
Audit process tracking
sec.audit.process-tracking
sec.audit.process-tracking
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit process tracking
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd -a always,exit -F arch=... -S execve
Log every process creation and exit. High volume — consider auditd execve rules with key filters or switch to a lighter-weight tracer (bpftrace).
Linux: auditd -a always,exit -F arch=... -S execve
0
Audit system events
sec.audit.system
sec.audit.system
Computer
Computer Configuration › Security Settings › Local Policies › Audit Policy
Bundled
Audit system events
Computer Configuration | … | Security Settings | Local Policies | Audit Policy
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Audit Policyauditd + journald
Log system-wide events: startup, shutdown, security log changes, time changes. Maps to auditd + journal boot/shutdown records.
Linux: auditd + journald
0
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
24 policies
Allow network access to this computer
ura.network-access
ura.network-access
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Access this computer from the network
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsshd AllowUsers / pam_access.conf
List of users/groups allowed to reach the machine from the network. On Linux this is split per-service: sshd AllowUsers/AllowGroups, Samba valid users, pam_access source rules.
Linux: sshd AllowUsers / pam_access.conf
0
Act as part of the operating system
ura.act-as-os
ura.act-as-os
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Act as part of the operating system
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsystemd CapabilityBoundingSet
Windows privilege for impersonation-like service code. Closest Linux equivalent: restricting CAP_SYS_ADMIN and CAP_SETUID to an allow-list via systemd unit CapabilityBoundingSet=.
Linux: systemd CapabilityBoundingSet
0
Join machines to the directory
ura.add-workstations
ura.add-workstations
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Add workstations to domain
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentKanidm / SSSD role
Which identities can enrol a new machine into the directory. In Pluris mapped to the role that runs realm join / kanidm domain ldap_basedn and issues host keytabs.
Linux: Kanidm / SSSD role
0
Adjust memory quotas for a process
ura.adjust-memory
ura.adjust-memory
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Adjust memory quotas for a process
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentcgroups / /etc/security/limits.conf
On Windows controls SetProcessWorkingSetSize. On Linux maps to cgroup memory controller delegation via systemd user slices and /etc/security/limits.conf RSS caps.
Linux: cgroups / /etc/security/limits.conf
0
Allow log on locally
ura.logon-locally
ura.logon-locally
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Allow log on locally
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentpam_access.conf
Users permitted console / display-manager logins. Enforced by pam_access.conf on the login, gdm-password, and lightdm PAM stacks.
Linux: pam_access.conf
0
Allow log on through Remote Desktop / SSH
ura.logon-remote
ura.logon-remote
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Allow log on through Remote Desktop Services
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsshd_config + xrdp
Who can log in remotely. On Linux split: sshd AllowUsers/AllowGroups for SSH, xrdp permissions for RDP-style remote desktop.
Linux: sshd_config + xrdp
0
Bypass file ACLs for backup
ura.backup-files
ura.backup-files
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Back up files and directories
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentCAP_DAC_READ_SEARCH via systemd AmbientCapabilities
Permission to read any file regardless of DAC. Linux equivalent: granting CAP_DAC_READ_SEARCH to the backup service unit.
Linux: CAP_DAC_READ_SEARCH via systemd AmbientCapabilities
0
Change the system time
ura.change-time
ura.change-time
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Change the system time
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentpolkit timedate1 + CAP_SYS_TIME
Who may change the wall-clock. Linux: CAP_SYS_TIME plus polkit rule for org.freedesktop.timedate1.set-time.
Linux: polkit timedate1 + CAP_SYS_TIME
0
Debug programs
ura.debug-programs
ura.debug-programs
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Debug programs
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsysctl kernel.yama.ptrace_scope
Attach a debugger to an arbitrary process. Linux: kernel.yama.ptrace_scope sysctl plus CAP_SYS_PTRACE. 0=classic, 1=restricted (default), 2=admin-only, 3=disabled.
Linux: sysctl kernel.yama.ptrace_scope
0
Deny network access
ura.deny-network
ura.deny-network
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Deny access to this computer from the network
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsshd DenyUsers / pam_access
Block list for remote access. Enforced alongside the allow list via sshd DenyUsers/DenyGroups and pam_access rules.
Linux: sshd DenyUsers / pam_access
0
Deny log on locally
ura.deny-logon-locally
ura.deny-logon-locally
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Deny log on locally
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentpam_access.conf deny
Block list for console/GUI logins. pam_access.conf deny rules, evaluated before the allow list.
Linux: pam_access.conf deny
0
Force shutdown from a remote system
ura.shutdown-remote
ura.shutdown-remote
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Force shutdown from a remote system
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentpolkit login1 + sudoers
Who may trigger remote reboot/shutdown. Linux: polkit rule for org.freedesktop.login1.power-off plus sudoers for /sbin/shutdown.
Linux: polkit login1 + sudoers
0
Generate security audits
ura.generate-audit
ura.generate-audit
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Generate security audits
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentCAP_AUDIT_WRITE
Which processes can write to the security audit log. Linux: CAP_AUDIT_WRITE capability (granted by default to sshd and pam_audit).
Linux: CAP_AUDIT_WRITE
0
Load and unload kernel modules
ura.load-drivers
ura.load-drivers
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Load and unload device drivers
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentCAP_SYS_MODULE + kernel lockdown
Who can call insmod/modprobe/rmmod. Linux: CAP_SYS_MODULE plus kernel.modules_disabled sysctl. In Secure Boot lockdown mode module signing is also enforced.
Linux: CAP_SYS_MODULE + kernel lockdown
0
Lock pages in memory
ura.lock-pages
ura.lock-pages
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Lock pages in memory
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignment/etc/security/limits.conf memlock
Permission to call mlock/mlockall and keep pages non-swappable. Linux: ulimit -l and /etc/security/limits.conf memlock.
Linux: /etc/security/limits.conf memlock
0
Log on as a batch job (cron)
ura.logon-batch
ura.logon-batch
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Log on as a batch job
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignment/etc/cron.allow /etc/at.allow
Who may have cron/at jobs execute. Enforced via /etc/cron.allow, /etc/cron.deny, /etc/at.allow.
Linux: /etc/cron.allow /etc/at.allow
0
Log on as a service
ura.logon-service
ura.logon-service
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Log on as a service
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsystemd unit User= allow-list
Accounts under which systemd services may run. Validated at unit-generation time: ensures User= field of any .service file belongs to this set.
Linux: systemd unit User= allow-list
0
Manage auditing and security log
ura.manage-audit
ura.manage-audit
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Manage auditing and security log
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentCAP_AUDIT_CONTROL + systemd-journal group
Who may read or configure the audit subsystem. Linux: CAP_AUDIT_CONTROL and CAP_AUDIT_READ, plus membership of adm/systemd-journal groups.
Linux: CAP_AUDIT_CONTROL + systemd-journal group
0
Modify firmware environment values
ura.firmware-env
ura.firmware-env
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Modify firmware environment values
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignment/sys/firmware/efi/efivars + lockdown
Who can rewrite UEFI/NVRAM variables. Linux: CAP_SYS_ADMIN on /sys/firmware/efi/efivars plus Secure Boot lockdown gating.
Linux: /sys/firmware/efi/efivars + lockdown
0
Profile single process
ura.profile-proc
ura.profile-proc
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Profile single process
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsysctl kernel.perf_event_paranoid
Allow user to run perf-style counters against one process. Linux: kernel.perf_event_paranoid sysctl (1 or 2 permits per-process).
Linux: sysctl kernel.perf_event_paranoid
0
Profile system performance
ura.profile-sys
ura.profile-sys
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Profile system performance
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentsysctl + CAP_PERFMON
System-wide profiling. Linux: kernel.perf_event_paranoid = -1 (or 0) plus CAP_PERFMON capability (5.8+).
Linux: sysctl + CAP_PERFMON
0
Restore files and directories
ura.restore-files
ura.restore-files
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Restore files and directories
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentCAP_DAC_OVERRIDE
Who may write files bypassing DAC (for restore). Linux: CAP_DAC_OVERRIDE on the restore service.
Linux: CAP_DAC_OVERRIDE
0
Shut down the system
ura.shutdown-sys
ura.shutdown-sys
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Shut down the system
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights Assignmentpolkit login1.power-off
Who can initiate a local shutdown/reboot. Linux: polkit action org.freedesktop.login1.power-off.
Linux: polkit login1.power-off
0
Take ownership of files or other objects
ura.take-ownership
ura.take-ownership
Computer
Computer Configuration › Security Settings › Local Policies › User Rights Assignment
Bundled
Take ownership of files or other objects
Computer Configuration | … | Security Settings | Local Policies | User Rights Assignment
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|User Rights AssignmentCAP_CHOWN + CAP_FOWNER
Change UID/GID owner of arbitrary files. Linux: CAP_CHOWN plus CAP_FOWNER.
Linux: CAP_CHOWN + CAP_FOWNER
0
Computer Configuration › Security Settings › Local Policies › Security Options
25 policies
Root account status
sec.opt.root-status
sec.opt.root-status
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Accounts: Administrator account status
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionspasswd -l root / passwd -u root
Whether the root account accepts passwords. Recommended state on managed endpoints: locked (passwd -l root); admins escalate through sudo instead.
Linux: passwd -l root / passwd -u root
0
Guest account status
sec.opt.guest-status
sec.opt.guest-status
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Accounts: Guest account status
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security OptionsAccountsService + gdm/lightdm guest-session
Whether an unauthenticated guest desktop session is offered. Managed by AccountsService and the display-manager (gdm/lightdm) guest-session setting.
Linux: AccountsService + gdm/lightdm guest-session
0
Rename root / primary admin account
sec.opt.rename-admin
sec.opt.rename-admin
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Accounts: Rename administrator account
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsadvisory — do not rename uid 0
On Windows renames the built-in Administrator. On Linux the UID 0 account is conventionally named 'root' and renaming it breaks assumptions in many tools — Pluris recommends leaving root as-is and instead controlling access via sudo + named admin accounts.
Linux: advisory — do not rename uid 0
0
Limit blank passwords to console
sec.opt.null-passwords-console
sec.opt.null-passwords-console
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Accounts: Limit local account use of blank passwords to console logon only
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionspam_unix nullok removal
Prevent empty-password accounts from authenticating over network services. Mapped to removing nullok from non-console PAM stacks (sshd, su).
Linux: pam_unix nullok removal
0
Shut down immediately if unable to log audits
sec.opt.audit-shutdown-on-fail
sec.opt.audit-shutdown-on-fail
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Audit: Shut down system immediately if unable to log security audits
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsauditd.conf disk_error_action=HALT
Halt on audit-write failure for compliance profiles (PCI-DSS/STIG). Linux: auditd disk_error_action=HALT and disk_full_action=HALT.
Linux: auditd.conf disk_error_action=HALT
0
Disable Ctrl-Alt-Del reboot
sec.opt.ctrl-alt-del
sec.opt.ctrl-alt-del
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Do not require CTRL+ALT+DEL
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssystemctl mask ctrl-alt-del.target
On Linux the console Ctrl-Alt-Del key combo reboots via systemd. This policy enables or disables that behaviour.
Linux: systemctl mask ctrl-alt-del.target
0
Do not display last signed-in user on greeter
sec.opt.hide-last-user
sec.opt.hide-last-user
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Don't display last signed-in
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsgdm disable-user-list / lightdm greeter-hide-users
Suppress the username on the display-manager greeter. Mapped to gdm / lightdm config — hide user list, force manual username entry.
Linux: gdm disable-user-list / lightdm greeter-hide-users
0
Pre-logon banner text
sec.opt.logon-banner-text
sec.opt.logon-banner-text
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Message text for users attempting to log on
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Options/etc/issue /etc/issue.net sshd Banner
Legal/usage banner shown before interactive logon. On Linux maps to /etc/issue (console), /etc/issue.net (telnet/SSH pre-auth), and sshd Banner directive.
Linux: /etc/issue /etc/issue.net sshd Banner
0
Pre-logon banner title
sec.opt.logon-banner-title
sec.opt.logon-banner-title
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Message title for users attempting to log on
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Options/etc/issue header
Title line of the banner. On Linux concatenated to /etc/issue header; graphical greeters render it as a separate emphasis line.
Linux: /etc/issue header
0
Number of previous logons to cache
sec.opt.cached-logons
sec.opt.cached-logons
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Number of previous logons to cache
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssssd.conf cache_credentials=true + entry_cache_timeout
How many recent directory logins SSSD caches for offline use. Offline unlock of an encrypted desktop depends on this being > 0.
Linux: sssd.conf cache_credentials=true + entry_cache_timeout
0
Warn user N days before password expiry
sec.opt.password-warn
sec.opt.password-warn
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Prompt user to change password before expiration
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Options/etc/login.defs PASS_WARN_AGE
How many days in advance to warn the user about expiry.
Linux: /etc/login.defs PASS_WARN_AGE
0
Require smart-card login
sec.opt.require-smartcard
sec.opt.require-smartcard
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Require smart card
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionspam_pkcs11 / sssd p11_kit
Force smart-card auth for interactive logon. Linux: pam_pkcs11 / sssd with certificate mapping; requires PKCS#11 middleware (OpenSC / manufacturer driver).
Linux: pam_pkcs11 / sssd p11_kit
0
Action on smart-card removal
sec.opt.smartcard-removal
sec.opt.smartcard-removal
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Interactive logon: Smart card removal behavior
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssssd smartcard + systemd-logind
None / Lock / Force logoff when the card is pulled. Linux: sssd-smartcard + logind lock-session hook.
Linux: sssd smartcard + systemd-logind
0
SMB client: require signing
sec.opt.smb-client-sign
sec.opt.smb-client-sign
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Microsoft network client: Digitally sign communications (always)
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssmb.conf client signing
Require SMB signing from Linux SMB clients. Maps to smb.conf 'client signing = mandatory'.
Linux: smb.conf client signing
0
SMB server: require signing
sec.opt.smb-server-sign
sec.opt.smb-server-sign
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Microsoft network server: Digitally sign communications (always)
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssmb.conf server signing
Force SMB signing on inbound shares. Maps to smb.conf 'server signing = mandatory' on any host running smbd.
Linux: smb.conf server signing
0
Block anonymous directory enumeration
sec.opt.anon-sam
sec.opt.anon-sam
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Network access: Do not allow anonymous enumeration of SAM accounts
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssmb.conf restrict anonymous / LDAP no-anon
Refuse anonymous user-list requests. For Linux SMB servers: smb.conf 'restrict anonymous = 2'. For LDAP/Kanidm: require authenticated bind.
Linux: smb.conf restrict anonymous / LDAP no-anon
0
Kerberos permitted encryption types
sec.opt.kerb-enctypes
sec.opt.kerb-enctypes
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Network security: Configure encryption types allowed for Kerberos
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionskrb5.conf permitted_enctypes
Allowed enctypes (RC4, AES128, AES256). Linux: krb5.conf default_tgs_enctypes / default_tkt_enctypes / permitted_enctypes.
Linux: krb5.conf permitted_enctypes
0
LAN Manager authentication level
sec.opt.lm-auth-level
sec.opt.lm-auth-level
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Network security: LAN Manager authentication level
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssmb.conf ntlm auth / client ntlmv2 auth
Controls NTLM/LM behaviour. Recommended: NTLMv2 only. Linux: smb.conf 'client ntlmv2 auth = yes' and 'ntlm auth = no' on any smbd.
Linux: smb.conf ntlm auth / client ntlmv2 auth
0
LDAP client signing requirements
sec.opt.ldap-signing
sec.opt.ldap-signing
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Network security: LDAP client signing requirements
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsldap.conf SASL_SECPROPS / sssd ldap_sasl_mech
Require signed LDAP binds. Linux: /etc/openldap/ldap.conf SASL_SECPROPS minssf=128 and sssd ldap_sasl_mech=GSSAPI.
Linux: ldap.conf SASL_SECPROPS / sssd ldap_sasl_mech
0
Allow shutdown without login
sec.opt.shutdown-no-logon
sec.opt.shutdown-no-logon
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Shutdown: Allow system to be shut down without having to log on
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsgdm/lightdm greeter + polkit login1
Show shutdown/reboot buttons on the greeter without requiring a prior login. Linux: gdm/lightdm 'disable-restart-buttons' + polkit login1 rule for the 'no session' subject.
Linux: gdm/lightdm greeter + polkit login1
0
Encrypt or wipe swap on shutdown
sec.opt.clear-swap
sec.opt.clear-swap
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
Shutdown: Clear virtual memory pagefile
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionscryptswap / /etc/crypttab
Prevent secrets leaking via swap. On Linux the strong recommendation is encrypted swap (/etc/crypttab with random key per boot) rather than a shred-on-shutdown hook.
Linux: cryptswap / /etc/crypttab
0
FIPS mode
sec.opt.fips
sec.opt.fips
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
System cryptography: Use FIPS compliant algorithms
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsfips-mode-setup / update-crypto-policies
Restrict kernel and userland crypto to FIPS 140-validated algorithms. Linux: fips-mode-setup --enable (RHEL/OL/Alma) or update-crypto-policies --set FIPS.
Linux: fips-mode-setup / update-crypto-policies
0
Require password for privilege elevation (admin accounts)
sec.opt.uac-admin-approval
sec.opt.uac-admin-approval
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
User Account Control: Admin Approval Mode for the Built-in Administrator account
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionssudoers + polkit auth_admin
Force admins to re-enter their password on sudo / polkit elevation. Linux: remove NOPASSWD in sudoers and set polkit admin rules to auth_admin.
Linux: sudoers + polkit auth_admin
0
Elevation prompt for standard users
sec.opt.uac-standard-prompt
sec.opt.uac-standard-prompt
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
User Account Control: Behavior of the elevation prompt for standard users
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionspolkit rules
How standard users are prompted when an action needs elevation: prompt / deny. Linux: polkit rules deciding allow_any / auth_admin / no.
Linux: polkit rules
0
Only allow signed/verified executables
sec.opt.exec-signed-only
sec.opt.exec-signed-only
Computer
Computer Configuration › Security Settings › Local Policies › Security Options
Bundled
User Account Control: Only elevate executables that are signed and validated
Computer Configuration | … | Security Settings | Local Policies | Security Options
Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Optionsfapolicyd / IMA-appraisal
Enforce that only packaged / signed binaries run. Linux: fapolicyd in enforcing mode with RPM/dpkg trust sources, or IMA-appraisal with a verified keyring.
Linux: fapolicyd / IMA-appraisal
0
Computer Configuration › Security Settings › Windows Defender Firewall › Domain Profile
1 policy
Firewall state — Domain profile
fw.profile.domain
fw.profile.domain
Computer
Computer Configuration › Security Settings › Windows Defender Firewall › Domain Profile
Bundled
Firewall state (Domain Profile)
Computer Configuration | … | Security Settings | Windows Defender Firewall with Advanced Security | Domain Profile
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Security|Domain Profilefirewalld zone / nftables
Enabled/disabled state when the machine is in a trusted (directory-joined) network. Linux: firewalld zone 'internal' or nftables table inet pluris_domain with default policy drop.
Linux: firewalld zone / nftables
0
Computer Configuration › Security Settings › Windows Defender Firewall › Private Profile
1 policy
Firewall state — Private profile
fw.profile.private
fw.profile.private
Computer
Computer Configuration › Security Settings › Windows Defender Firewall › Private Profile
Bundled
Firewall state (Private Profile)
Computer Configuration | … | Security Settings | Windows Defender Firewall with Advanced Security | Private Profile
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Security|Private Profilefirewalld zone home
Firewall state on known but untrusted networks. Linux: firewalld zone 'home' / nftables chain.
Linux: firewalld zone home
0
Computer Configuration › Security Settings › Windows Defender Firewall › Public Profile
1 policy
Firewall state — Public profile
fw.profile.public
fw.profile.public
Computer
Computer Configuration › Security Settings › Windows Defender Firewall › Public Profile
Bundled
Firewall state (Public Profile)
Computer Configuration | … | Security Settings | Windows Defender Firewall with Advanced Security | Public Profile
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Security|Public Profilefirewalld zone public
Firewall state on untrusted networks (cafés, airports). Linux: firewalld zone 'public' — typically default-deny inbound, allow only dhcpv6-client/ssh if needed.
Linux: firewalld zone public
0
Computer Configuration › Security Settings › Windows Defender Firewall
6 policies
Default inbound action
fw.default.inbound
fw.default.inbound
Computer
Computer Configuration › Security Settings › Windows Defender Firewall
Bundled
Inbound connections
Computer Configuration | … | Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Securitynftables input policy / ufw default
Allow / Block / Block all. Linux: nftables chain hook input policy drop/accept; ufw default deny incoming.
Linux: nftables input policy / ufw default
0
Default outbound action
fw.default.outbound
fw.default.outbound
Computer
Computer Configuration › Security Settings › Windows Defender Firewall
Bundled
Outbound connections
Computer Configuration | … | Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Securitynftables output policy / ufw default outgoing
Allow / Block. Most endpoints leave this as allow; servers may restrict to specific egress.
Linux: nftables output policy / ufw default outgoing
0
Log dropped packets
fw.log.dropped
fw.log.dropped
Computer
Computer Configuration › Security Settings › Windows Defender Firewall
Bundled
Log dropped packets
Computer Configuration | … | Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Securitynftables log / ulogd2
Write dropped packets to a log. Linux: nftables rule 'log prefix "pluris-drop" level info' with ratelimit, shipped via rsyslog/ulogd.
Linux: nftables log / ulogd2
0
Log accepted connections
fw.log.accepted
fw.log.accepted
Computer
Computer Configuration › Security Settings › Windows Defender Firewall
Bundled
Log successful connections
Computer Configuration | … | Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Securitynftables log on accept
Log accepted new flows. High volume; usually only needed during policy tuning.
Linux: nftables log on accept
0
Firewall log file path
fw.log.path
fw.log.path
Computer
Computer Configuration › Security Settings › Windows Defender Firewall
Bundled
Name (log file path)
Computer Configuration | … | Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Securityrsyslog rule
Where the firewall log is written. Linux: rsyslog rule routing kern.warning with msg containing the prefix to /var/log/pluris-fw.log.
Linux: rsyslog rule
0
Firewall log size limit
fw.log.size
fw.log.size
Computer
Computer Configuration › Security Settings › Windows Defender Firewall
Bundled
Size limit (KB)
Computer Configuration | … | Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Securitylogrotate
Rotation size for the firewall log. Linux: logrotate stanza for the log file.
Linux: logrotate
0
Computer Configuration › Security Settings › Windows Defender Firewall › Inbound Rules
1 policy
Inbound rules
fw.rules.inbound
fw.rules.inbound
Computer
Computer Configuration › Security Settings › Windows Defender Firewall › Inbound Rules
Bundled
Inbound Rules
Computer Configuration | … | Security Settings | Windows Defender Firewall with Advanced Security | Inbound Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Security|Inbound Rulesnftables rules / firewalld services
Per-port / per-service inbound allow or block rules. Edited as a list, each rule with protocol, port, source, action, profile.
Linux: nftables rules / firewalld services
0
Computer Configuration › Security Settings › Windows Defender Firewall › Outbound Rules
1 policy
Outbound rules
fw.rules.outbound
fw.rules.outbound
Computer
Computer Configuration › Security Settings › Windows Defender Firewall › Outbound Rules
Bundled
Outbound Rules
Computer Configuration | … | Security Settings | Windows Defender Firewall with Advanced Security | Outbound Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Security|Outbound Rulesnftables rules
Restrict outbound traffic by destination, port, protocol.
Linux: nftables rules
0
Computer Configuration › Security Settings › Windows Defender Firewall › Connection Security Rules
1 policy
IPsec / Connection security rules
fw.ipsec.rules
fw.ipsec.rules
Computer
Computer Configuration › Security Settings › Windows Defender Firewall › Connection Security Rules
Bundled
Connection Security Rules
Computer Configuration | … | Security Settings | Windows Defender Firewall with Advanced Security | Connection Security Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Windows Defender Firewall with Advanced Security|Connection Security RulesstrongSwan / libreswan
Require IPsec for flows between specific endpoints. Linux: strongSwan swanctl.conf or libreswan ipsec.conf.
Linux: strongSwan / libreswan
0
Computer Configuration › Security Settings › Public Key Policies
4 policies
Trusted Root Certification Authorities
pki.ca.trusted
pki.ca.trusted
Computer
Computer Configuration › Security Settings › Public Key Policies
Bundled
Trusted Root Certification Authorities
Computer Configuration | … | Windows Settings | Security Settings | Public Key Policies
Computer Configuration|Policies|Windows Settings|Security Settings|Public Key Policiesupdate-ca-certificates / update-ca-trust
Root CAs the machine trusts. Linux: drop PEMs into /usr/local/share/ca-certificates/ (Debian) or /etc/pki/ca-trust/source/anchors/ (RHEL) and run update-ca-certificates / update-ca-trust.
Linux: update-ca-certificates / update-ca-trust
0
Intermediate Certification Authorities
pki.ca.intermediate
pki.ca.intermediate
Computer
Computer Configuration › Security Settings › Public Key Policies
Bundled
Intermediate Certification Authorities
Computer Configuration | … | Windows Settings | Security Settings | Public Key Policies
Computer Configuration|Policies|Windows Settings|Security Settings|Public Key Policiesupdate-ca-trust / update-ca-certificates
Intermediate CAs to pre-seed in the system trust store. Same mechanism as root CAs.
Linux: update-ca-trust / update-ca-certificates
0
Automatic certificate enrolment
pki.autoenroll
pki.autoenroll
Computer
Computer Configuration › Security Settings › Public Key Policies
Bundled
Certificate Services Client - Auto-Enrollment
Computer Configuration | … | Windows Settings | Security Settings | Public Key Policies
Computer Configuration|Policies|Windows Settings|Security Settings|Public Key Policiescertmonger / certbot
Auto-request and renew machine certificates. Linux: certmonger against FreeIPA/Dogtag, or acme.sh/certbot for ACME-issued certs.
Linux: certmonger / certbot
0
Filesystem encryption (EFS equivalent)
pki.efs
pki.efs
Computer
Computer Configuration › Security Settings › Public Key Policies
Bundled
Encrypting File System
Computer Configuration | … | Windows Settings | Security Settings | Public Key Policies
Computer Configuration|Policies|Windows Settings|Security Settings|Public Key Policiesfscrypt / eCryptfs / LUKS
Per-user encrypted home/data directories. Linux choices: fscrypt (native, built into ext4/f2fs), eCryptfs (legacy), or full-disk LUKS as an alternative.
Linux: fscrypt / eCryptfs / LUKS
0
Computer Configuration › Security Settings › Application Control › Executable Rules
1 policy
Executable allow-list rules
appctl.exec.allowlist
appctl.exec.allowlist
Computer
Computer Configuration › Security Settings › Application Control › Executable Rules
Bundled
AppLocker: Executable Rules
Computer Configuration | … | Application Control Policies | AppLocker | Executable Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Application Control Policies|AppLocker|Executable Rulesfapolicyd / SELinux / AppArmor
Which binaries may run. Linux options: fapolicyd (path + hash + package source), SELinux execmod, AppArmor profile.
Linux: fapolicyd / SELinux / AppArmor
0
Computer Configuration › Security Settings › Application Control › Script Rules
1 policy
Script allow-list rules
appctl.script.allowlist
appctl.script.allowlist
Computer
Computer Configuration › Security Settings › Application Control › Script Rules
Bundled
AppLocker: Script Rules
Computer Configuration | … | Application Control Policies | AppLocker | Script Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Application Control Policies|AppLocker|Script Rulesfapolicyd interpreter trust
Constrain which interpreted scripts may be executed. Linux: fapolicyd with interpreter trust (bash, python, perl, nodejs) + restrictive $PATH for interactive shells.
Linux: fapolicyd interpreter trust
0
Computer Configuration › Security Settings › Application Control › Installer Rules
1 policy
Installer / package allow-list
appctl.installer.allowlist
appctl.installer.allowlist
Computer
Computer Configuration › Security Settings › Application Control › Installer Rules
Bundled
AppLocker: Windows Installer Rules
Computer Configuration | … | Application Control Policies | AppLocker | Windows Installer Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Application Control Policies|AppLocker|Windows Installer Rulesapt/dnf hooks + polkit
Restrict which package operations are allowed. Linux: apt/dnf hooks + polkit rules on package-manager D-Bus interfaces.
Linux: apt/dnf hooks + polkit
0
Computer Configuration › Security Settings › Application Control › Packaged App Rules
1 policy
Packaged-app (Flatpak/Snap) rules
appctl.packaged.allowlist
appctl.packaged.allowlist
Computer
Computer Configuration › Security Settings › Application Control › Packaged App Rules
Bundled
AppLocker: Packaged app Rules
Computer Configuration | … | Application Control Policies | AppLocker | Packaged app Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Application Control Policies|AppLocker|Packaged app Rulesflatpak override / snap
Which Flatpak IDs and Snap names are permitted. Linux: flatpak override + /etc/flatpak/remotes.d; snap refresh-control and snap connections.
Linux: flatpak override / snap
0
Computer Configuration › Security Settings › Application Control › Library Rules
1 policy
Library (shared-object) rules
appctl.lib.allowlist
appctl.lib.allowlist
Computer
Computer Configuration › Security Settings › Application Control › Library Rules
Bundled
AppLocker: DLL Rules
Computer Configuration | … | Application Control Policies | AppLocker | DLL Rules
Computer Configuration|Policies|Windows Settings|Security Settings|Application Control Policies|AppLocker|DLL Rulesfapolicyd lib mode / IMA
Control which shared libraries may be loaded. Linux: fapolicyd in library-integrity mode; alternatively IMA-appraisal on .so files.
Linux: fapolicyd lib mode / IMA
0
Computer Configuration › Security Settings › Application Control
1 policy
Default application control action
appctl.default-rule
appctl.default-rule
Computer
Computer Configuration › Security Settings › Application Control
Bundled
Default Rule
Computer Configuration | … | Security Settings | Application Control Policies | AppLocker
Computer Configuration|Policies|Windows Settings|Security Settings|Application Control Policies|AppLockerfapolicyd.conf permissive=
What happens to executables that don't match any allow/deny rule. Linux: fapolicyd 'permissive' (log only) vs 'enforcing'.
Linux: fapolicyd.conf permissive=
0
Computer Configuration › Scripts (Startup/Shutdown)
2 policies
Startup scripts
scripts.startup
scripts.startup
Computer
Computer Configuration › Scripts (Startup/Shutdown)
Bundled
Startup
Computer Configuration|Policies|Windows Settings|Scripts (Startup/Shutdown)
Computer Configuration|Policies|Windows Settings|Scripts (Startup/Shutdown)systemd unit
Scripts run as root during system boot, before any user session. Linux: systemd unit with WantedBy=multi-user.target or a drop-in to pluris-startup.target.
Linux: systemd unit
0
Shutdown scripts
scripts.shutdown
scripts.shutdown
Computer
Computer Configuration › Scripts (Startup/Shutdown)
Bundled
Shutdown
Computer Configuration|Policies|Windows Settings|Scripts (Startup/Shutdown)
Computer Configuration|Policies|Windows Settings|Scripts (Startup/Shutdown)systemd unit ExecStop
Scripts run as root during system shutdown. Linux: systemd unit with ExecStop=, DefaultDependencies=no, Before=shutdown.target.
Linux: systemd unit ExecStop
0
Computer Configuration › Administrative Templates › System › Group Policy
1 policy
Script run on policy refresh
scripts.policy-refresh
scripts.policy-refresh
Computer
Computer Configuration › Administrative Templates › System › Group Policy
Bundled
Run these programs at group-policy refresh
Computer Configuration | … | Administrative Templates | System | Group Policy
Computer Configuration|Policies|Administrative Templates|System|Group Policypluris-agent post-apply hook
Executed whenever the agent applies an updated policy set. Useful for cache invalidation / restart of affected services.
Linux: pluris-agent post-apply hook
0
Computer Configuration › Administrative Templates › System › Scripts
1 policy
Maximum wait time for startup scripts (seconds)
scripts.max-wait
scripts.max-wait
Computer
Computer Configuration › Administrative Templates › System › Scripts
Bundled
Maximum wait time for Group Policy scripts
Computer Configuration | … | Administrative Templates | System | Scripts
Computer Configuration|Policies|Administrative Templates|System|Scriptssystemd TimeoutStartSec
Timeout after which a boot script is killed and boot continues. Linux: systemd TimeoutStartSec= on the unit.
Linux: systemd TimeoutStartSec
0
Computer Configuration › Administrative Templates › System › Power Management
4 policies
Active power plan
adm.sys.power.plan
adm.sys.power.plan
Computer
Computer Configuration › Administrative Templates › System › Power Management
Bundled
Select an active power plan
Computer Configuration | … | Administrative Templates | System | Power Management
Computer Configuration|Policies|Administrative Templates|System|Power Managementtlp / power-profiles-daemon
Selected power profile (balanced / performance / power-saver). Linux: tlp / power-profiles-daemon 'powerprofilesctl set'.
Linux: tlp / power-profiles-daemon
0
Display sleep timeout (seconds)
adm.sys.power.display-sleep
adm.sys.power.display-sleep
Computer
Computer Configuration › Administrative Templates › System › Power Management
Bundled
Specify the display's sleep timeout
Computer Configuration | … | System | Power Management | Video and Display Settings
Computer Configuration|Policies|Administrative Templates|System|Power Management|Video and Display Settingsdconf / xset dpms
Idle time before the display turns off. Linux: gsettings org.gnome.settings-daemon.plugins.power (system-wide via dconf lock).
Linux: dconf / xset dpms
0
Hibernate timeout (seconds)
adm.sys.power.hibernate
adm.sys.power.hibernate
Computer
Computer Configuration › Administrative Templates › System › Power Management
Bundled
Specify the system hibernate timeout
Computer Configuration | … | System | Power Management | Sleep Settings
Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settingssystemd-logind.conf
Idle time before hibernate. Linux: systemd-logind HandleLidSwitch / IdleAction + IdleActionSec.
Linux: systemd-logind.conf
0
Disable hybrid sleep
adm.sys.power.hybrid-sleep
adm.sys.power.hybrid-sleep
Computer
Computer Configuration › Administrative Templates › System › Power Management
Bundled
Turn off hybrid sleep
Computer Configuration | … | System | Power Management | Sleep Settings
Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settingssystemctl mask
Whether to use suspend-then-hibernate. Linux: systemctl mask systemd-suspend-then-hibernate.service.
Linux: systemctl mask
0
Computer Configuration › Administrative Templates › System › Remote Assistance
1 policy
Remote assistance
adm.sys.remote-assistance
adm.sys.remote-assistance
Computer
Computer Configuration › Administrative Templates › System › Remote Assistance
Bundled
Configure Offer Remote Assistance
Computer Configuration | … | Administrative Templates | System | Remote Assistance
Computer Configuration|Policies|Administrative Templates|System|Remote Assistancegnome-remote-desktop / rustdesk
Whether help-desk operators can take remote screen-share sessions. Linux: vino-server / gnome-remote-desktop / rustdesk-server policy.
Linux: gnome-remote-desktop / rustdesk
0
Computer Configuration › Administrative Templates › System › Removable Storage Access
1 policy
Block all removable storage
adm.sys.removable-storage
adm.sys.removable-storage
Computer
Computer Configuration › Administrative Templates › System › Removable Storage Access
Bundled
All Removable Storage classes: Deny all access
Computer Configuration | … | Administrative Templates | System | Removable Storage Access
Computer Configuration|Policies|Administrative Templates|System|Removable Storage AccessUSBGuard + udev + udisks2 polkit
Deny mounting of USB drives, SD cards, etc. Linux: USBGuard (policy-driven device allow-list) + udev rules; udisks2 polkit rule to deny mount for 'no-active-session' or non-admin.
Linux: USBGuard + udev + udisks2 polkit
0
Computer Configuration › Administrative Templates › System › System Restore
1 policy
Disable filesystem snapshotting
adm.sys.system-restore
adm.sys.system-restore
Computer
Computer Configuration › Administrative Templates › System › System Restore
Bundled
Turn off System Restore
Computer Configuration | … | Administrative Templates | System | System Restore
Computer Configuration|Policies|Administrative Templates|System|System Restoresnapper / timeshift
Whether users may create/restore filesystem snapshots. Linux: snapper / timeshift service state and polkit rule.
Linux: snapper / timeshift
0
Computer Configuration › Administrative Templates › System › Time Service
2 policies
NTP server configuration
adm.sys.time.ntp
adm.sys.time.ntp
Computer
Computer Configuration › Administrative Templates › System › Time Service
Bundled
Configure Windows NTP Client
Computer Configuration | … | System | Windows Time Service | Time Providers
Computer Configuration|Policies|Administrative Templates|System|Windows Time Service|Time Providerschrony.conf / timesyncd.conf
NTP/chrony server list, polling interval, iburst. Linux: chrony.conf (pool / server / minpoll / maxpoll) or systemd-timesyncd.conf.
Linux: chrony.conf / timesyncd.conf
0
Time service (NTP daemon)
adm.win.time-svc
adm.win.time-svc
Computer
Computer Configuration › Administrative Templates › System › Time Service
Bundled
Windows Time Service
Computer Configuration | … | Administrative Templates | System | Windows Time Service
Computer Configuration|Policies|Administrative Templates|System|Windows Time Servicechrony / timesyncd
Preferred time daemon and synchronisation policy. Linux: chrony on workstations with low-drift requirements, systemd-timesyncd elsewhere.
Linux: chrony / timesyncd
0
Computer Configuration › Administrative Templates › System › TPM
1 policy
TPM services
adm.sys.tpm
adm.sys.tpm
Computer
Computer Configuration › Administrative Templates › System › TPM
Bundled
Trusted Platform Module Services
Computer Configuration | … | Administrative Templates | System | Trusted Platform Module Services
Computer Configuration|Policies|Administrative Templates|System|Trusted Platform Module Servicestpm2-abrmd / tpm2-tools
Whether the TPM is exposed to userland and owned. Linux: tpm2-abrmd + /dev/tpmrm0 permissions; owner hierarchy password via tpm2_changeauth.
Linux: tpm2-abrmd / tpm2-tools
0
Computer Configuration › Administrative Templates › System › Logon
1 policy
Wait for network at boot before login
adm.sys.logon.wait-network
adm.sys.logon.wait-network
Computer
Computer Configuration › Administrative Templates › System › Logon
Bundled
Always wait for the network at computer startup and logon
Computer Configuration | … | Administrative Templates | System | Logon
Computer Configuration|Policies|Administrative Templates|System|Logonsystemd-networkd-wait-online
Force the login prompt to wait for network availability (so directory auth can succeed on first login). Linux: systemd-networkd-wait-online / NetworkManager-wait-online enabled; gdm start after network-online.target.
Linux: systemd-networkd-wait-online
0
Computer Configuration › Administrative Templates › System
1 policy
Source for optional-component install
adm.sys.optional-components
adm.sys.optional-components
Computer
Computer Configuration › Administrative Templates › System
Bundled
Specify settings for optional component installation
Computer Configuration|Policies|Administrative Templates|System
Computer Configuration|Policies|Administrative Templates|Systemapt / dnf repo config
Package source for on-demand feature installs. Linux: apt/dnf repo config + pluris-managed package mirror URL.
Linux: apt / dnf repo config
0
Computer Configuration › Administrative Templates › Network › DNS Client
2 policies
DNS suffix search list
adm.net.dns.search
adm.net.dns.search
Computer
Computer Configuration › Administrative Templates › Network › DNS Client
Bundled
DNS Suffix Search List
Computer Configuration | … | Administrative Templates | Network | DNS Client
Computer Configuration|Policies|Administrative Templates|Network|DNS Clientsystemd-resolved / NetworkManager
Domains to append when resolving unqualified names. Linux: systemd-resolved Domains= in [Resolve] or per-link DNSConfiguration; NetworkManager dns-search.
Linux: systemd-resolved / NetworkManager
0
Register connection DNS name with directory
adm.net.dns.register
adm.net.dns.register
Computer
Computer Configuration › Administrative Templates › Network › DNS Client
Bundled
Register DNS records with connection-specific DNS suffix
Computer Configuration | … | Administrative Templates | Network | DNS Client
Computer Configuration|Policies|Administrative Templates|Network|DNS Clientsssd ad_dyndns / nsupdate
Whether the machine sends dynamic DNS updates. Linux: sssd+adcli dyndns_update=true (AD-joined) or nsupdate script.
Linux: sssd ad_dyndns / nsupdate
0
Computer Configuration › Administrative Templates › Network › Offline Files
1 policy
Offline files (CIFS caching)
adm.net.offline-files
adm.net.offline-files
Computer
Computer Configuration › Administrative Templates › Network › Offline Files
Bundled
Allow or disallow use of the Offline Files feature
Computer Configuration | … | Administrative Templates | Network | Offline Files
Computer Configuration|Policies|Administrative Templates|Network|Offline Filescachefilesd / autofs
Whether CIFS/NFS shares are cached for offline use. Linux: autofs + fscache (cachefilesd) for CIFS; cachefilesd for NFS.
Linux: cachefilesd / autofs
0
Computer Configuration › Administrative Templates › Network › Network Connections
1 policy
Prohibit network bridging
adm.net.net-bridge
adm.net.net-bridge
Computer
Computer Configuration › Administrative Templates › Network › Network Connections
Bundled
Prohibit installation and configuration of Network Bridge
Computer Configuration | … | Administrative Templates | Network | Network Connections
Computer Configuration|Policies|Administrative Templates|Network|Network Connectionspolkit NetworkManager + kernel module blacklist
Block the creation of Ethernet bridges on client machines (security baseline). Linux: mask systemd-networkd Bridge= units and disallow nmcli connection add type bridge via polkit.
Linux: polkit NetworkManager + kernel module blacklist
0
Computer Configuration › Administrative Templates › Network › SSL Configuration
1 policy
TLS cipher suite order (system-wide)
adm.net.ssl-ciphers
adm.net.ssl-ciphers
Computer
Computer Configuration › Administrative Templates › Network › SSL Configuration
Bundled
SSL Cipher Suite Order
Computer Configuration | … | Administrative Templates | Network | SSL Configuration Settings
Computer Configuration|Policies|Administrative Templates|Network|SSL Configuration Settingsupdate-crypto-policies
System-wide preferred TLS ciphers. Linux: update-crypto-policies (DEFAULT, LEGACY, FIPS, FUTURE) or a custom policy under /etc/crypto-policies/back-ends.
Linux: update-crypto-policies
0
Computer Configuration › Administrative Templates › Network › QoS
1 policy
QoS packet scheduler
adm.net.qos
adm.net.qos
Computer
Computer Configuration › Administrative Templates › Network › QoS
Bundled
QoS Packet Scheduler
Computer Configuration | … | Administrative Templates | Network | QoS Packet Scheduler
Computer Configuration|Policies|Administrative Templates|Network|QoS Packet Schedulertc qdisc
Reserve bandwidth for classes of traffic. Linux: tc qdisc (fq_codel / htb) configured via /etc/tc-rules or systemd-networkd QoS.
Linux: tc qdisc
0
Computer Configuration › Administrative Templates › Network › Network Provider
1 policy
Hardened UNC / SMB paths
adm.net.unc-hardening
adm.net.unc-hardening
Computer
Computer Configuration › Administrative Templates › Network › Network Provider
Bundled
Hardened UNC Paths
Computer Configuration | … | Administrative Templates | Network | Network Provider
Computer Configuration|Policies|Administrative Templates|Network|Network Providercifs mount options
Require signing/sealing when talking to specific SMB shares. Linux: CIFS mount options seal, sign, krb5, vers=3.0+.
Linux: cifs mount options
0
Computer Configuration › Administrative Templates › Network
1 policy
System-wide HTTP(S) proxy
adm.net.proxy
adm.net.proxy
Computer
Computer Configuration › Administrative Templates › Network
Bundled
Proxy Settings
Computer Configuration|Policies|Administrative Templates|Network
Computer Configuration|Policies|Administrative Templates|Network/etc/environment + apt/dnf proxy
Outbound proxy for system services and package managers. Linux: /etc/environment (http_proxy/https_proxy), apt.conf Acquire::http::Proxy, dnf.conf proxy=.
Linux: /etc/environment + apt/dnf proxy
0
Computer Configuration › Administrative Templates › Disk Encryption
1 policy
Full-disk encryption policy
adm.win.bitlocker
adm.win.bitlocker
Computer
Computer Configuration › Administrative Templates › Disk Encryption
Bundled
BitLocker Drive Encryption
Computer Configuration | … | Administrative Templates | Windows Components | BitLocker Drive Encryption
Computer Configuration|Policies|Administrative Templates|Windows Components|BitLocker Drive EncryptionLUKS2 + clevis/tang
Whether the system disk must be encrypted, and key-escrow target. Linux: LUKS2 with cryptsetup, key escrow to clevis+tang or TPM2 NV.
Linux: LUKS2 + clevis/tang
0
Computer Configuration › Administrative Templates › Updates
3 policies
Automatic updates configuration
adm.win.wu.auto
adm.win.wu.auto
Computer
Computer Configuration › Administrative Templates › Updates
Bundled
Configure Automatic Updates
Computer Configuration | … | Administrative Templates | Windows Components | Windows Update
Computer Configuration|Policies|Administrative Templates|Windows Components|Windows Updateunattended-upgrades / dnf-automatic
Whether security updates auto-install, download-only, notify-only, disabled. Linux: unattended-upgrades (Debian/Ubuntu), dnf-automatic (RHEL), or pluris update-cycle attachment.
Linux: unattended-upgrades / dnf-automatic
0
Internal update mirror URL
adm.win.wu.mirror
adm.win.wu.mirror
Computer
Computer Configuration › Administrative Templates › Updates
Bundled
Specify intranet Microsoft update service location
Computer Configuration | … | Administrative Templates | Windows Components | Windows Update
Computer Configuration|Policies|Administrative Templates|Windows Components|Windows Updateapt / dnf / flatpak
Point endpoints at an on-prem package mirror. Linux: apt sources.list.d / dnf repo config / flatpak remote-add.
Linux: apt / dnf / flatpak
0
No auto-restart while users logged on
adm.win.wu.no-restart
adm.win.wu.no-restart
Computer
Computer Configuration › Administrative Templates › Updates
Bundled
No auto-restart with logged on users for scheduled automatic updates installations
Computer Configuration | … | Administrative Templates | Windows Components | Windows Update
Computer Configuration|Policies|Administrative Templates|Windows Components|Windows Updateneedrestart / pluris cycle
Defer reboot until no one is logged in. Linux: needrestart -r a only when no active session, or pluris update-cycle 'reboot-window' setting.
Linux: needrestart / pluris cycle
0
Computer Configuration › Administrative Templates › Endpoint Protection
2 policies
Antivirus / malware scanner policy
adm.win.defender
adm.win.defender
Computer
Computer Configuration › Administrative Templates › Endpoint Protection
Bundled
Microsoft Defender Antivirus
Computer Configuration | … | Administrative Templates | Windows Components | Microsoft Defender Antivirus
Computer Configuration|Policies|Administrative Templates|Windows Components|Microsoft Defender Antivirusclamav / EDR agent
AV enabled, signature update schedule, scheduled scan. Linux: ClamAV daemon + freshclam schedule, or third-party EDR (Sophos, CrowdStrike, SentinelOne).
Linux: clamav / EDR agent
0
Exploit mitigation policy
adm.win.exploit-guard
adm.win.exploit-guard
Computer
Computer Configuration › Administrative Templates › Endpoint Protection
Bundled
Microsoft Defender Exploit Guard
Computer Configuration | … | Administrative Templates | Windows Components | Microsoft Defender Exploit Guard
Computer Configuration|Policies|Administrative Templates|Windows Components|Microsoft Defender Exploit Guardsysctl + AppArmor/SELinux
Attack-surface reduction controls. Linux: apparmor/SELinux profiles in enforcing mode, kernel.unprivileged_userns_clone = 0, kptr_restrict, dmesg_restrict, perf_event_paranoid.
Linux: sysctl + AppArmor/SELinux
0
Computer Configuration › Administrative Templates › Browser
1 policy
Browser (Chromium/Edge) managed policy
adm.win.edge-policy
adm.win.edge-policy
Computer
Computer Configuration › Administrative Templates › Browser
Bundled
Microsoft Edge
Computer Configuration|Policies|Administrative Templates|Microsoft Edge
Computer Configuration|Policies|Administrative Templates|Microsoft Edge/etc/*/policies/managed/*.json
Managed browser preferences (allowed extensions, homepage, proxy, update channel). Linux: /etc/opt/edge/policies/managed/*.json (Edge), /etc/chromium/policies/managed/*.json, /etc/firefox/policies/policies.json.
Linux: /etc/*/policies/managed/*.json
0
Computer Configuration › Administrative Templates › Remote Desktop
3 policies
Remote desktop max sessions
adm.win.rdp.sessions
adm.win.rdp.sessions
Computer
Computer Configuration › Administrative Templates › Remote Desktop
Bundled
Limit number of connections
Computer Configuration | … | Remote Desktop Services | Remote Desktop Session Host | Connections
Computer Configuration|Policies|Administrative Templates|Windows Components|Remote Desktop Services|Remote Desktop Session Host|Connectionssshd_config / xrdp.ini
Concurrent remote sessions allowed. Linux: sshd MaxSessions / MaxStartups; xrdp max_bpp & session limits.
Linux: sshd_config / xrdp.ini
0
Require TLS for RDP / remote-desktop
adm.win.rdp.tls
adm.win.rdp.tls
Computer
Computer Configuration › Administrative Templates › Remote Desktop
Bundled
Require use of specific security layer for remote (RDP) connections
Computer Configuration | … | Remote Desktop Services | Remote Desktop Session Host | Security
Computer Configuration|Policies|Administrative Templates|Windows Components|Remote Desktop Services|Remote Desktop Session Host|Securityxrdp.ini security_layer=tls
Force TLS wrapper on remote desktop. Linux: xrdp tls_ciphers / ssl_protocols; for VNC switch to x0vncserver with TLS.
Linux: xrdp.ini security_layer=tls
0
Remote desktop idle timeout (seconds)
adm.win.rdp.idle
adm.win.rdp.idle
Computer
Computer Configuration › Administrative Templates › Remote Desktop
Bundled
Set time limit for active but idle Remote Desktop Services sessions
Computer Configuration | … | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
Computer Configuration|Policies|Administrative Templates|Windows Components|Remote Desktop Services|Remote Desktop Session Host|Session Time Limitssshd ClientAliveInterval / xrdp
Idle timeout for remote sessions. Linux: sshd ClientAliveInterval + ClientAliveCountMax; xrdp session_timeout.
Linux: sshd ClientAliveInterval / xrdp
0
Computer Configuration › Administrative Templates › Installer
1 policy
Prohibit user-level installs
adm.win.installer.user
adm.win.installer.user
Computer
Computer Configuration › Administrative Templates › Installer
Bundled
Prohibit User Installs
Computer Configuration | … | Administrative Templates | Windows Components | Windows Installer
Computer Configuration|Policies|Administrative Templates|Windows Components|Windows Installerpolkit PackageKit / flatpak
Whether unprivileged users may install software. Linux: polkit rules for apt / flatpak-system-helper / PackageKit.
Linux: polkit PackageKit / flatpak
0
Computer Configuration › Administrative Templates › Smart Card
1 policy
Smart card service enabled
adm.win.smartcard.svc
adm.win.smartcard.svc
Computer
Computer Configuration › Administrative Templates › Smart Card
Bundled
Smart Card
Computer Configuration | … | Administrative Templates | Windows Components | Smart Card
Computer Configuration|Policies|Administrative Templates|Windows Components|Smart Cardpcscd / pam_pkcs11
Whether the smart-card daemon runs. Linux: pcscd.service + pkcs11 module configuration.
Linux: pcscd / pam_pkcs11
0
User Configuration › Administrative Templates › Control Panel
1 policy
Prohibit access to system settings
u.ctrl-panel.block
u.ctrl-panel.block
User
User Configuration › Administrative Templates › Control Panel
Bundled
Prohibit access to Control Panel and PC settings
User Configuration|Policies|Administrative Templates|Control Panel
User Configuration|Policies|Administrative Templates|Control Paneldconf lockdown + polkit
Block gnome-control-center / KDE System Settings for the user. Linux: dconf lock on /org/gnome/desktop/lockdown/disable-user-switching-and-settings + polkit rule to deny org.freedesktop.* admin actions for standard users.
Linux: dconf lockdown + polkit
0
User Configuration › Administrative Templates › Control Panel › Personalization
2 policies
Prevent changing desktop wallpaper
u.personalization.wallpaper
u.personalization.wallpaper
User
User Configuration › Administrative Templates › Control Panel › Personalization
Bundled
Prevent changing desktop background
User Configuration | … | Administrative Templates | Control Panel | Personalization
User Configuration|Policies|Administrative Templates|Control Panel|Personalizationdconf lock picture-uri
Lock the wallpaper to the policy-assigned value. Linux: dconf lock /org/gnome/desktop/background/picture-uri.
Linux: dconf lock picture-uri
0
Prevent changing screen-lock settings
u.personalization.screensaver
u.personalization.screensaver
User
User Configuration › Administrative Templates › Control Panel › Personalization
Bundled
Prevent changing screen saver
User Configuration | … | Administrative Templates | Control Panel | Personalization
User Configuration|Policies|Administrative Templates|Control Panel|Personalizationdconf lock screensaver
Lock idle-delay and screensaver settings. Linux: dconf lock /org/gnome/desktop/session/idle-delay and /org/gnome/desktop/screensaver/lock-*.
Linux: dconf lock screensaver
0
User Configuration › Administrative Templates › Control Panel › Display
1 policy
Hide the Display settings tab
u.display.hide-settings-tab
u.display.hide-settings-tab
User
User Configuration › Administrative Templates › Control Panel › Display
Bundled
Hide Settings tab
User Configuration | … | Administrative Templates | Control Panel | Display
User Configuration|Policies|Administrative Templates|Control Panel|Displaydconf + panel lockdown
Hide the Display panel from the Settings app. Linux: gsettings org.gnome.settings-daemon.plugins.xsettings disabled-plugins + gnome-control-center panel hiding via dconf lockdown.
Linux: dconf + panel lockdown
0
User Configuration › Administrative Templates › Control Panel › Regional and Language
1 policy
Restrict selectable UI languages
u.locale.restrict
u.locale.restrict
User
User Configuration › Administrative Templates › Control Panel › Regional and Language
Bundled
Restrict selection of Windows menus and dialogs language
User Configuration | … | Administrative Templates | Control Panel | Regional and Language Options
User Configuration|Policies|Administrative Templates|Control Panel|Regional and Language OptionsAccountsService + localectl
Limit the set of UI languages the user can switch to. Linux: AccountsService allowed Language + localectl available locales.
Linux: AccountsService + localectl
0
User Configuration › Administrative Templates › Desktop
3 policies
Hide all desktop icons
u.desktop.hide-all
u.desktop.hide-all
User
User Configuration › Administrative Templates › Desktop
Bundled
Hide and disable all items on the desktop
User Configuration|Policies|Administrative Templates|Desktop
User Configuration|Policies|Administrative Templates|Desktopdconf / kwriteconfig
Hide icons on the user's desktop. Linux: dconf lock /org/nautilus/desktop/* (GNOME Classic) or kwriteconfig for KDE.
Linux: dconf / kwriteconfig
0
Hide the Trash icon
u.desktop.hide-trash
u.desktop.hide-trash
User
User Configuration › Administrative Templates › Desktop
Bundled
Remove Recycle Bin icon from desktop
User Configuration|Policies|Administrative Templates|Desktop
User Configuration|Policies|Administrative Templates|Desktopdconf lock desktop-icons trash
Remove the user-visible Trash icon. Linux: dconf lock of the desktop icon extension (GNOME 'Desktop Icons NG').
Linux: dconf lock desktop-icons trash
0
Lock path of user home folders (Documents etc.)
u.desktop.lock-home-path
u.desktop.lock-home-path
User
User Configuration › Administrative Templates › Desktop
Bundled
Prohibit user from changing My Documents path
User Configuration|Policies|Administrative Templates|Desktop
User Configuration|Policies|Administrative Templates|Desktopxdg-user-dirs.conf
Prevent moving XDG user directories. Linux: make ~/.config/user-dirs.conf enabled=false and deploy fixed ~/.config/user-dirs.dirs.
Linux: xdg-user-dirs.conf
0
User Configuration › Administrative Templates › Shell › Panel
2 policies
Lock the taskbar / dash
u.shell.lock-taskbar
u.shell.lock-taskbar
User
User Configuration › Administrative Templates › Shell › Panel
Bundled
Lock the Taskbar
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar
User Configuration|Policies|Administrative Templates|Start Menu and Taskbardconf lock favorite-apps
Prevent the user from reorganising the dash/taskbar. Linux: dconf lock /org/gnome/shell/favorite-apps and /org/gnome/shell/extensions/dash-to-dock/*.
Linux: dconf lock favorite-apps
0
Hide the notification area / system tray
u.shell.notification-area
u.shell.notification-area
User
User Configuration › Administrative Templates › Shell › Panel
Bundled
Hide the notification area
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar
User Configuration|Policies|Administrative Templates|Start Menu and Taskbardconf / plasma panel
Visibility of system-tray icons. Linux: dconf /org/gnome/shell/extensions/appindicator/enabled; KDE Plasma panel script.
Linux: dconf / plasma panel
0
User Configuration › Administrative Templates › Shell › Launcher
3 policies
Hide the Run / exec dialog
u.shell.hide-run
u.shell.hide-run
User
User Configuration › Administrative Templates › Shell › Launcher
Bundled
Remove Run menu from Start Menu
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar
User Configuration|Policies|Administrative Templates|Start Menu and Taskbargnome-shell lockdown
Prevent launching arbitrary commands through a Run dialog. Linux: disable gnome-shell command-prompt extension and restrict Ctrl-Alt-F2 TTY switch via logind.
Linux: gnome-shell lockdown
0
Remove Settings entry from Start Menu
u.shell.remove-settings
u.shell.remove-settings
User
User Configuration › Administrative Templates › Shell › Launcher
Bundled
Remove Programs on Settings menu
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar~/.local/share/applications override (NoDisplay=true)
Remove the Settings entry from the user's application grid.
Linux: ~/.local/share/applications override (NoDisplay=true)
0
Application menu overrides
u.shell.menu-overrides
u.shell.menu-overrides
User
User Configuration › Administrative Templates › Shell › Launcher
Bundled
Remove common program groups from Start Menu
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar
User Configuration|Policies|Administrative Templates|Start Menu and Taskbar.desktop NoDisplay / Hidden
Hide or override entries in the application launcher. Linux: drop .desktop files with Hidden=true under /etc/xdg/menus or per-user ~/.local/share/applications.
Linux: .desktop NoDisplay / Hidden
0
User Configuration › Administrative Templates › System
6 policies
Prevent access to the terminal / command shell
u.sys.no-shell
u.sys.no-shell
User
User Configuration › Administrative Templates › System
Bundled
Prevent access to the command prompt
User Configuration|Policies|Administrative Templates|System
User Configuration|Policies|Administrative Templates|SystemAppArmor deny + .desktop removal
Hide/disable terminal emulators for kiosk-class users. Linux: chmod 0700 on terminal binaries for the user group is brittle — the supported approach is to AppArmor-deny launching /usr/bin/{bash,gnome-terminal,...} for members of a policy group, plus remove .desktop launchers.
Linux: AppArmor deny + .desktop removal
0
Prevent access to configuration-editor tools
u.sys.no-registry-editor
u.sys.no-registry-editor
User
User Configuration › Administrative Templates › System
Bundled
Prevent access to registry editing tools
User Configuration|Policies|Administrative Templates|System
User Configuration|Policies|Administrative Templates|SystemAppArmor deny dconf-editor
Block launching of dconf-editor / gsettings-editor. Linux: remove .desktop and AppArmor-deny the binaries for the user's group.
Linux: AppArmor deny dconf-editor
0
Run only explicitly allowed applications
u.sys.run-only-allowed
u.sys.run-only-allowed
User
User Configuration › Administrative Templates › System
Bundled
Run only specified Windows applications
User Configuration|Policies|Administrative Templates|System
User Configuration|Policies|Administrative Templates|SystemAppArmor user profile / fapolicyd
Kiosk allow-list. Linux: per-user AppArmor profile or fapolicyd rule scoped to the user.
Linux: AppArmor user profile / fapolicyd
0
Block specified applications
u.sys.run-deny
u.sys.run-deny
User
User Configuration › Administrative Templates › System
Bundled
Don't run specified Windows applications
User Configuration|Policies|Administrative Templates|System
User Configuration|Policies|Administrative Templates|SystemAppArmor / fapolicyd deny
Deny-list for the user. Same mechanism as allow-list, inverse.
Linux: AppArmor / fapolicyd deny
0
Disable removable-media autoplay
u.sys.autoplay
u.sys.autoplay
User
User Configuration › Administrative Templates › System
Bundled
Turn off Autoplay
User Configuration|Policies|Administrative Templates|System
User Configuration|Policies|Administrative Templates|Systemdconf media-handling / udisks2 polkit
Prevent automatic mount/open of inserted USB drives and optical media. Linux: gsettings org.gnome.desktop.media-handling automount=false automount-open=false, plus udisks2 polkit deny.
Linux: dconf media-handling / udisks2 polkit
0
Custom session shell override
u.sys.custom-shell
u.sys.custom-shell
User
User Configuration › Administrative Templates › System
Bundled
Custom User Interface
User Configuration|Policies|Administrative Templates|System
User Configuration|Policies|Administrative Templates|System.xsession / AccountsService Session
Replace the user's desktop shell (for single-app kiosks). Linux: .xsession / AccountsService Session override pointing at a custom GDM session definition.
Linux: .xsession / AccountsService Session
0
User Configuration › Administrative Templates › System › Logon
1 policy
Programs to run at session start
u.sys.autostart
u.sys.autostart
User
User Configuration › Administrative Templates › System › Logon
Bundled
Run these programs at user logon
User Configuration | … | Administrative Templates | System | Logon
User Configuration|Policies|Administrative Templates|System|Logon~/.config/autostart / systemd --user
Applications launched automatically when the user logs in. Linux: ~/.config/autostart/*.desktop or systemd user unit.
Linux: ~/.config/autostart / systemd --user
0
User Configuration › Administrative Templates › File Manager
2 policies
Disable network-drive mapping UI
u.filemgr.no-net-drive
u.filemgr.no-net-drive
User
User Configuration › Administrative Templates › File Manager
Bundled
Remove Map Network Drive and Disconnect Network Drive
User Configuration | … | Administrative Templates | Windows Components | File Explorer
User Configuration|Policies|Administrative Templates|Windows Components|File Explorerdconf nautilus + polkit gvfs
Hide UI for user-initiated SMB/NFS mounts. Linux: gsettings org.gnome.nautilus.preferences hide-mount-dialog; gvfs deny mount via polkit.
Linux: dconf nautilus + polkit gvfs
0
Hide specific drives in file manager
u.filemgr.hide-drives
u.filemgr.hide-drives
User
User Configuration › Administrative Templates › File Manager
Bundled
Hide these specified drives in My Computer
User Configuration | … | Administrative Templates | Windows Components | File Explorer
User Configuration|Policies|Administrative Templates|Windows Components|File Explorerudisks2 polkit / gvfs blacklist
Remove specific device paths from the side-bar. Linux: udisks2 polkit rule on specific device paths + gvfs blacklist.
Linux: udisks2 polkit / gvfs blacklist
0
User Configuration › Administrative Templates › Browser
1 policy
Browser managed preferences (user-scope)
u.browser.edge-user
u.browser.edge-user
User
User Configuration › Administrative Templates › Browser
Bundled
Microsoft Edge (user)
User Configuration|Policies|Administrative Templates|Microsoft Edge
User Configuration|Policies|Administrative Templates|Microsoft Edgeper-user policies.json
Per-user browser policy (homepage, allowed extensions, bookmarks). Linux: same JSON policy format as computer scope, but under ~/.config/{BraveSoftware,edge,chromium}/... — effective only if the user owns the directory.
Linux: per-user policies.json
0
User Configuration › Administrative Templates › Installer
1 policy
Disable per-user app installs
u.installer.user
u.installer.user
User
User Configuration › Administrative Templates › Installer
Bundled
Windows Installer (user)
User Configuration | … | Administrative Templates | Windows Components | Windows Installer
User Configuration|Policies|Administrative Templates|Windows Components|Windows Installerpolkit flatpak user-install
Whether the user can install flatpak --user, pip --user, npm -g, cargo install. Linux: chmod/chown ~/.local/bin and mask per-user systemd, plus polkit deny on org.freedesktop.Flatpak.app-install.
Linux: polkit flatpak user-install
0
User Configuration › Scripts (Logon/Logoff)
2 policies
Logon script (runs as user)
u.scripts.logon
u.scripts.logon
User
User Configuration › Scripts (Logon/Logoff)
Bundled
Logon
User Configuration|Policies|Windows Settings|Scripts (Logon/Logoff)
User Configuration|Policies|Windows Settings|Scripts (Logon/Logoff)systemd --user unit
Script executed at session start, running as the user. Linux: systemd user unit (systemd --user) WantedBy=default.target, or /etc/profile.d/ for shell-started sessions.
Linux: systemd --user unit
0
Logoff script (runs as user)
u.scripts.logoff
u.scripts.logoff
User
User Configuration › Scripts (Logon/Logoff)
Bundled
Logoff
User Configuration|Policies|Windows Settings|Scripts (Logon/Logoff)
User Configuration|Policies|Windows Settings|Scripts (Logon/Logoff)systemd --user ExecStop
Script at session end. Linux: systemd user unit with ExecStop=; or gnome-session logout hook.
Linux: systemd --user ExecStop
0
Computer Configuration › Preferences › Registry
1 policy
Registry-style settings (machine)
pref.registry.machine
pref.registry.machine
Computer
Computer Configuration › Preferences › Registry
Bundled
Preferences > Windows Settings > Registry (Computer)
Computer Configuration|Preferences|Windows Settings|Registry
Computer Configuration|Preferences|Windows Settings|Registrysysctl.d / dconf system-db / /etc drop-ins
Arbitrary machine-scope config-key assignments. On Linux the "registry" is split across many backends: sysctl (/etc/sysctl.d), dconf db (for GSettings defaults), and config drop-ins under /etc. Pluris normalises these under one editor that writes to the right backend based on the key prefix.
Linux: sysctl.d / dconf system-db / /etc drop-ins
0
User Configuration › Preferences › Registry
1 policy
Registry-style settings (user)
pref.registry.user
pref.registry.user
User
User Configuration › Preferences › Registry
Bundled
Preferences > Windows Settings > Registry (User)
User Configuration|Preferences|Windows Settings|Registry
User Configuration|Preferences|Windows Settings|Registrydconf user-db / ~/.config
Per-user config-key overrides. Linux: GSettings via dconf (/org/... keys), KDE kconfig, and drop-ins under ~/.config.
Linux: dconf user-db / ~/.config
0
Computer Configuration › Preferences › Files
1 policy
Files to deploy (machine)
pref.files.machine
pref.files.machine
Computer
Computer Configuration › Preferences › Files
Bundled
Preferences > Windows Settings > Files (Computer)
Computer Configuration|Preferences|Windows Settings|Files
Computer Configuration|Preferences|Windows Settings|Filessystemd-tmpfiles / agent file drop
Ship a file to a path on every target. Linux: systemd-tmpfiles (/etc/tmpfiles.d with C type for copy) or pluris-agent file drop.
Linux: systemd-tmpfiles / agent file drop
0
User Configuration › Preferences › Files
1 policy
Files to deploy (user)
pref.files.user
pref.files.user
User
User Configuration › Preferences › Files
Bundled
Preferences > Windows Settings > Files (User)
User Configuration|Preferences|Windows Settings|Files
User Configuration|Preferences|Windows Settings|Filessystemd-tmpfiles-user
Ship a file into the user's home. Linux: systemd-tmpfiles-user (~/.config/user-tmpfiles.d) or pluris-agent per-user drop.
Linux: systemd-tmpfiles-user
0
Computer Configuration › Preferences › Folders
1 policy
Folders to create (machine)
pref.folders.machine
pref.folders.machine
Computer
Computer Configuration › Preferences › Folders
Bundled
Preferences > Windows Settings > Folders (Computer)
Computer Configuration|Preferences|Windows Settings|Folders
Computer Configuration|Preferences|Windows Settings|Folderssystemd-tmpfiles d
Ensure a directory exists with given owner/mode. Linux: systemd-tmpfiles 'd' type entries.
Linux: systemd-tmpfiles d
0
Computer Configuration › Preferences › Shortcuts
1 policy
Shortcuts / launchers (machine)
pref.shortcuts.machine
pref.shortcuts.machine
Computer
Computer Configuration › Preferences › Shortcuts
Bundled
Preferences > Windows Settings > Shortcuts (Computer)
Computer Configuration|Preferences|Windows Settings|Shortcuts
Computer Configuration|Preferences|Windows Settings|Shortcuts/usr/local/share/applications .desktop
Desktop launchers deployed system-wide. Linux: .desktop files under /usr/local/share/applications.
Linux: /usr/local/share/applications .desktop
0
User Configuration › Preferences › Shortcuts
1 policy
Shortcuts / launchers (user)
pref.shortcuts.user
pref.shortcuts.user
User
User Configuration › Preferences › Shortcuts
Bundled
Preferences > Windows Settings > Shortcuts (User)
User Configuration|Preferences|Windows Settings|Shortcuts
User Configuration|Preferences|Windows Settings|Shortcuts~/.local/share/applications
Per-user launchers. Linux: ~/.local/share/applications/*.desktop.
Linux: ~/.local/share/applications
0
User Configuration › Preferences › Drive Maps
1 policy
Drive / share maps (user)
pref.drive-maps.user
pref.drive-maps.user
User
User Configuration › Preferences › Drive Maps
Bundled
Preferences > Windows Settings > Drive Maps (User)
User Configuration|Preferences|Windows Settings|Drive Maps
User Configuration|Preferences|Windows Settings|Drive Mapsautofs / pam_mount
Auto-mount network shares at logon. Linux: autofs with Kerberos credentials, or gio mount via pam_mount.
Linux: autofs / pam_mount
0
Computer Configuration › Preferences › Environment
1 policy
Environment variables (machine)
pref.env.machine
pref.env.machine
Computer
Computer Configuration › Preferences › Environment
Bundled
Preferences > Windows Settings > Environment (Computer)
Computer Configuration|Preferences|Windows Settings|Environment
Computer Configuration|Preferences|Windows Settings|Environment/etc/environment / /etc/profile.d
Machine-wide environment variables. Linux: /etc/environment plus /etc/profile.d for shell-only vars.
Linux: /etc/environment / /etc/profile.d
0
User Configuration › Preferences › Environment
1 policy
Environment variables (user)
pref.env.user
pref.env.user
User
User Configuration › Preferences › Environment
Bundled
Preferences > Windows Settings > Environment (User)
User Configuration|Preferences|Windows Settings|Environment
User Configuration|Preferences|Windows Settings|Environment~/.config/environment.d
Per-user environment variables. Linux: ~/.config/environment.d/*.conf (systemd user), ~/.profile (login shells).
Linux: ~/.config/environment.d
0
Computer Configuration › Preferences › Scheduled Tasks
1 policy
Scheduled tasks (machine)
pref.tasks.machine
pref.tasks.machine
Computer
Computer Configuration › Preferences › Scheduled Tasks
Bundled
Preferences > Control Panel Settings > Scheduled Tasks (Computer)
Computer Configuration|Preferences|Control Panel Settings|Scheduled Tasks
Computer Configuration|Preferences|Control Panel Settings|Scheduled Taskssystemd .timer / cron.d
Recurring jobs that run as root. Linux: systemd timer units or /etc/cron.d drop-in.
Linux: systemd .timer / cron.d
0
User Configuration › Preferences › Scheduled Tasks
1 policy
Scheduled tasks (user)
pref.tasks.user
pref.tasks.user
User
User Configuration › Preferences › Scheduled Tasks
Bundled
Preferences > Control Panel Settings > Scheduled Tasks (User)
User Configuration|Preferences|Control Panel Settings|Scheduled Tasks
User Configuration|Preferences|Control Panel Settings|Scheduled Taskssystemd --user .timer / crontab
Recurring jobs under the user's session. Linux: systemd --user timer or crontab -e.
Linux: systemd --user .timer / crontab
0
Computer Configuration › Preferences › Printers
1 policy
Printers to deploy
pref.printers.machine
pref.printers.machine
Both
Computer Configuration › Preferences › Printers
Bundled
Preferences > Control Panel Settings > Printers
Computer Configuration|Preferences|Control Panel Settings|Printers
Computer Configuration|Preferences|Control Panel Settings|PrintersCUPS lpadmin
Printers provisioned on the endpoint. Linux: CUPS lpadmin + /etc/cups/printers.conf; per-user overrides via ~/.cups/lpoptions.
Linux: CUPS lpadmin
0
Computer Configuration › Preferences › Power Options
1 policy
Power options preset
pref.power
pref.power
Computer
Computer Configuration › Preferences › Power Options
Bundled
Preferences > Control Panel Settings > Power Options
Computer Configuration|Preferences|Control Panel Settings|Power Options
Computer Configuration|Preferences|Control Panel Settings|Power Optionstlp / power-profiles-daemon
Shortcut preference that writes a TLP / power-profiles-daemon profile with lid/button/timeout values in one go.
Linux: tlp / power-profiles-daemon
0
Custom (Acme) › Remote Access › SSH
1 policy
Corporate SSH login banner Custom
tenant.acme.ssh.banner
tenant.acme.ssh.banner
Computer
Custom (Acme) › Remote Access › SSH
Customacme
— (custom)
/etc/issue.net via tenant module
Drops a corporate banner into /etc/issue.net so every SSH login displays the configured legal text. Linked to module tenant.acme.security-banner.
Linux: /etc/issue.net via tenant module
1
A·U··
0.4.0
published
alice.chen@acme.local
tenant:acme:key:1
Policy Catalog

Policy

· ·

Identity

Display name
Catalog URN
Category
Windows GP equivalent
Windows GP path
Linux mechanism (hint)

Description

Modular shape Candidate Policy Modules that satisfy this policy. The Configuration Group binding picks one; the agent applies it via apply / disable / uninstall (INV-M5). All shipped here for inspection.

No candidate modules in the catalog yet.
Custom Policy Wizard · ADR-007

New custom policy

1 · Identify 2 · Module 3 · Sandbox 4 · Scripts 5 · Sign & publish

A custom policy is a tenant-private catalog entry. It will appear inline in the Policy Catalog with a Custom chip. Once published, it can be referenced from any Configuration Group like a bundled policy.

Final URN: tenant.<tenant>.…

Slash-separated; appears in the catalog tree.

Single Source of Truth UI (INV-U)
Every entry point that shows this concept mounts the same canonical editor with at most a context filter applied. See docs/UX_INVARIANTS.md §VII Concept Registry.