Parameter

Description

OptIn

This setting is the default configuration. On systems with processors that can implement hardware-enforced data execution prevention (DEP), DEP is enabled by default for limited system binaries and programs that opt in. With this option, only Windows system binaries are covered by DEP by default.

OptOut

DEP is enabled by default for all processes. You can manually create a list of specific programs that don't have DEP applied by using the System Control Panel applet. You can use the Microsoft Windows Application Compatibility Toolkit to opt out one or more programs from DEP protection. System-compatibility fixes for DEP do take effect.

AlwaysOn

This setting provides full DEP coverage for the entire system. All processes always run with DEP applied. No exceptions are possible. System-compatibility fixes for DEP don't take effect. Programs that have been opted out by using the Windows Application Compatibility Toolkit still run with DEP applied.

AlwaysOff

This setting doesn't provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor doesn't run in Physical Address Extension (PAE) mode unless the /PAE option is present in the boot.ini file.