You can import an XML file containing customized registry preferences into a Group Policy object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
Creating registry setting preferences as described here is a new feature in Windows Server 2008 and Windows Vista with Service Pack 1 (SP1).
To manually create the file, build the settings under Computer Configuration, Preferences, Windows Settings, Registry. After you have created the settings, drag the container to the desktop. An .xml file is created there.
To import an .xml file to GPMC, drag it and drop it on the Registry node under Computer Configuration, Preferences, Windows Settings. If you copy the following sample XML code to a file, and then drag and drop it on the Registry node, it creates a Server and Domain Isolation collection with the six registry keys discussed in this guide.
The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
Note
The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
<?xml version="1.0" encoding="utf-8"?>
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable IPsec over NAT (W2K, XP, W2K3)"
status="AssumeUDPEncapsulationContextOnSendRule"
image="12"
changed="2008-05-30 20:37:31"
uid="{49FD6551-80DA-4876-9335-623F2575E27B}"
desc="<b>Enable IPsec over NAT-T</b><p>
This setting configures whether computers running Windows 2003 and Windows XP can make IPsec connections to servers behind NAT-enabled routers.<p>
<b>0</b>: (default) No IPsec SAs to servers behind NAT<br>
<b>1</b>: IPsec SAs can be made to servers behind NAT<br>
<b>2</b>: IPsec SAs can be made when both server and client are behind NAT"
bypassErrors="1">
<Properties action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\IPsec"
name="AssumeUDPEncapsulationContextOnSendRule"
type="REG_DWORD"
value="00000000"/>
<Filters>
<FilterOs
bool="AND" not="1"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable PMTU Discovery"
status="EnablePMTUDiscovery"
image="12"
uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
desc="<b>Enable PMTU Discovery</b><p>
This setting configures whether computers can use PMTU discovery on the network.<p>
<b>1</b> -- Enable<br>
<b>0</b> -- Disable"
bypassErrors="1">
<Properties action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\TCPIP\Parameters"
name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Simplified IPsec Policy (W2K, XP, W2K3)"
status="IKEFlags"
image="12"
changed="2008-05-30 20:43:31"
uid="{B9A34EFB-CDF7-4603-BBED-6BB85080C96F}"
desc="<b>Simplified IPsec Policy</b><p>
This setting configures two aspects of IPsec fallback-to-clear in Windows 2003, Windows XP, and Windows 2000.<p>
<b>0x00</b>: Original 3 second fallback-to-clear<br>
<b>0x04</b>: Enables 500ms fallback-to-clear<br>
<b>0x10</b>: Improve fallback-to-clear in S&amp;D Iso<br>
<b>0x14</b>: Both 0x4 and 0x10 settings enabled (recommended)"
bypassErrors="1">
<Properties action="U"
displayDecimal="0"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\PolicyAgent\Oakley"
name="IKEFlags"
type="REG_DWORD"
value="00000014"/>
<Filters>
<FilterOs
bool="AND" not="1"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (W2K and XP)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:35:43"
uid="{60F64C68-EF12-4FAC-ACC9-00B4F21724FA}"
desc="<b>IPsec Default Exemptions for Windows 2000 SP4 and Windows XP SP2</b><p>
This setting determines which network traffic type is exempt from any IPsec authentication requirements.<p>
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
<b>1</b>: Exempts multicast, broadcast, ISAKMP"
<Properties action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\IPsec"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000001"/>
<Filters>
<FilterOs
bool="AND" not="1"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K3R2"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="AND" not="1"
class="NT" version="2K3"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (W2K3)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:34:03"
uid="{7023764D-5E8A-4E16-BEA3-EA0743024EFA}"
desc="<b>IPsec Default Exemptions for Windows Server 2008 and later</b><p>
This setting determines which network traffic type is exempt from any IPsec authentication requirements.<p>
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
<b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
<b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
<b>3</b>: Exempts ISAKMP only"
bypassErrors="1">
<Properties action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\IPsec"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000003"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="2K3"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="OR" not="0"
class="NT" version="2K3R2"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (Vista and W2K8)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:33:32"
uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
desc="<b>IPsec Default Exemptions for Windows Server 2008 and later</b><p>
This setting determines which network traffic type is exempt from any IPsec authentication requirements.<p>
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
<b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
<b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
<b>3</b>: Exempts ISAKMP only"
bypassErrors="1">
<Properties action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000003"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="OR" not="0"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable IPsec over NAT (Vista and W2K8)"
status="AssumeUDPEncapsulationContextOnSendRule"
image="12"
changed="2008-05-30 20:32:56"
uid="{61C18AA8-F78E-453B-809A-98354D407035}"
desc="<b>Enable IPsec over NAT-T</b><p>
This setting configures whether computers running Windows 2003 and Windows XP can make IPsec connections to servers behind NAT-enabled routers.<p>
<b>0</b>: (default) No IPsec SAs to servers behind NAT<br>
<b>1</b>: IPsec SAs can be made to servers behind NAT<br>
<b>2</b>: IPsec SAs can be made when both server and client are behind NAT"
bypassErrors="1">
<Properties action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\PolicyAgent"
name="AssumeUDPEncapsulationContextOnSendRule"
type="REG_DWORD"
value="00000000"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
bool="OR" not="0"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
</Collection>