|
|
|
|
@ -201,13 +201,15 @@ manager: dansimp
|
|
|
|
|
<!--Description-->
|
|
|
|
|
This policy setting prevents users from adding new Microsoft accounts on this computer.
|
|
|
|
|
|
|
|
|
|
If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
|
|
|
|
|
If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer. Switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
|
|
|
|
|
|
|
|
|
|
If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system.
|
|
|
|
|
|
|
|
|
|
If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -255,7 +257,9 @@ The following list shows the supported values:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
This setting allows the administrator to enable the local Administrator account.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -302,7 +306,9 @@ The following list shows the supported values:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
This setting allows the administrator to enable the guest Administrator account.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -352,16 +358,19 @@ Accounts: Limit local account use of blank passwords to console logon only
|
|
|
|
|
|
|
|
|
|
This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
|
|
|
|
|
|
|
|
|
|
Default: Enabled.
|
|
|
|
|
Default: Enabled
|
|
|
|
|
|
|
|
|
|
> [!WARNING]
|
|
|
|
|
> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers.
|
|
|
|
|
If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
|
|
|
|
|
>
|
|
|
|
|
> If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
|
|
|
|
|
|
|
|
|
|
This setting doesn't affect sign ins that use domain accounts.
|
|
|
|
|
It's possible for applications that use remote interactive sign ins to bypass this setting.
|
|
|
|
|
This setting doesn't affect sign in that use domain accounts.
|
|
|
|
|
It's possible for applications that use remote interactive sign in to bypass this setting.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -372,8 +381,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console
|
|
|
|
|
- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard
|
|
|
|
|
- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console.
|
|
|
|
|
- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -410,9 +419,11 @@ Accounts: Rename administrator account
|
|
|
|
|
|
|
|
|
|
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
|
|
|
|
|
|
|
|
|
|
Default: Administrator.
|
|
|
|
|
Default: Administrator
|
|
|
|
|
|
|
|
|
|
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is string.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--DbMapped-->
|
|
|
|
|
@ -455,9 +466,11 @@ Accounts: Rename guest account
|
|
|
|
|
|
|
|
|
|
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
|
|
|
|
|
|
|
|
|
|
Default: Guest.
|
|
|
|
|
Default: Guest
|
|
|
|
|
|
|
|
|
|
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is string.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--DbMapped-->
|
|
|
|
|
@ -496,10 +509,11 @@ GP Info:
|
|
|
|
|
|
|
|
|
|
<!--/Scope-->
|
|
|
|
|
<!--Description-->
|
|
|
|
|
Devices: Allow undock without having to sign in.
|
|
|
|
|
Devices: Allow undock without having to sign in
|
|
|
|
|
|
|
|
|
|
This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer.
|
|
|
|
|
Default: Enabled.
|
|
|
|
|
|
|
|
|
|
Default: Enabled
|
|
|
|
|
|
|
|
|
|
> [!CAUTION]
|
|
|
|
|
> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
|
|
|
|
|
@ -545,8 +559,8 @@ Devices: Allowed to format and eject removable media
|
|
|
|
|
|
|
|
|
|
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
|
|
|
|
|
|
|
|
|
|
- Administrators
|
|
|
|
|
- Administrators and Interactive Users
|
|
|
|
|
- Administrators.
|
|
|
|
|
- Administrators and Interactive Users.
|
|
|
|
|
|
|
|
|
|
Default: This policy isn't defined, and only Administrators have this ability.
|
|
|
|
|
|
|
|
|
|
@ -591,7 +605,7 @@ Devices: Prevent users from installing printer drivers when connecting to shared
|
|
|
|
|
|
|
|
|
|
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
|
|
|
|
|
|
|
|
|
|
Default on servers: Enabled.
|
|
|
|
|
Default on servers: Enabled
|
|
|
|
|
Default on workstations: Disabled
|
|
|
|
|
|
|
|
|
|
>[!NOTE]
|
|
|
|
|
@ -681,8 +695,9 @@ GP Info:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
Interactive Logon: Display user information when the session is locked
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -693,9 +708,9 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 1 - User display name, domain and user names
|
|
|
|
|
- 2 - User display name only
|
|
|
|
|
- 3 - Don't display user information
|
|
|
|
|
- 1 - User display name, domain and user names.
|
|
|
|
|
- 2 - User display name only.
|
|
|
|
|
- 3 - Don't display user information.
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -731,13 +746,16 @@ Valid values:
|
|
|
|
|
Interactive logon: Don't display last signed-in
|
|
|
|
|
|
|
|
|
|
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
|
|
|
|
|
|
|
|
|
|
If this policy is enabled, the username won't be shown.
|
|
|
|
|
|
|
|
|
|
If this policy is disabled, the username will be shown.
|
|
|
|
|
|
|
|
|
|
Default: Disabled.
|
|
|
|
|
Default: Disabled
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -748,8 +766,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled (username will be shown)
|
|
|
|
|
- 1 - enabled (username won't be shown)
|
|
|
|
|
- 0 - disabled (username will be shown).
|
|
|
|
|
- 1 - enabled (username won't be shown).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -790,9 +808,11 @@ If this policy is enabled, the username won't be shown.
|
|
|
|
|
|
|
|
|
|
If this policy is disabled, the username will be shown.
|
|
|
|
|
|
|
|
|
|
Default: Disabled.
|
|
|
|
|
Default: Disabled
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -803,8 +823,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled (username will be shown)
|
|
|
|
|
- 1 - enabled (username won't be shown)
|
|
|
|
|
- 0 - disabled (username will be shown).
|
|
|
|
|
- 1 - enabled (username won't be shown).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -845,10 +865,12 @@ If this policy is enabled on a computer, a user isn't required to press CTRL+ALT
|
|
|
|
|
|
|
|
|
|
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
|
|
|
|
|
|
|
|
|
|
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
|
|
|
|
|
Default on stand-alone computers: Enabled.
|
|
|
|
|
Default on domain-computers: Enabled: At least Windows 8 / Disabled: Windows 7 or earlier.
|
|
|
|
|
Default on stand-alone computers: Enabled
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -859,8 +881,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled
|
|
|
|
|
- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in)
|
|
|
|
|
- 0 - disabled.
|
|
|
|
|
- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -893,13 +915,15 @@ Valid values:
|
|
|
|
|
|
|
|
|
|
<!--/Scope-->
|
|
|
|
|
<!--Description-->
|
|
|
|
|
Interactive logon: Machine inactivity limit.
|
|
|
|
|
Interactive logon: Machine inactivity limit
|
|
|
|
|
|
|
|
|
|
Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
|
|
|
|
|
|
|
|
|
|
Default: not enforced.
|
|
|
|
|
Default: Not enforced
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -946,11 +970,13 @@ Interactive logon: Message text for users attempting to sign in
|
|
|
|
|
|
|
|
|
|
This security setting specifies a text message that is displayed to users when they sign in.
|
|
|
|
|
|
|
|
|
|
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
|
|
|
|
|
This text is often used for legal reasons. For example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
|
|
|
|
|
|
|
|
|
|
Default: No message.
|
|
|
|
|
Default: No message
|
|
|
|
|
|
|
|
|
|
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is string.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -993,9 +1019,11 @@ Interactive logon: Message title for users attempting to sign in
|
|
|
|
|
|
|
|
|
|
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in.
|
|
|
|
|
|
|
|
|
|
Default: No message.
|
|
|
|
|
Default: No message
|
|
|
|
|
|
|
|
|
|
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is string.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1040,16 +1068,16 @@ This security setting determines what happens when the smart card for a logged-o
|
|
|
|
|
|
|
|
|
|
The options are:
|
|
|
|
|
|
|
|
|
|
No Action
|
|
|
|
|
Lock Workstation
|
|
|
|
|
Force Logoff
|
|
|
|
|
Disconnect if a Remote Desktop Services session
|
|
|
|
|
- No Action
|
|
|
|
|
- Lock Workstation
|
|
|
|
|
- Force Logoff
|
|
|
|
|
- Disconnect if a Remote Desktop Services session
|
|
|
|
|
|
|
|
|
|
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
|
|
|
|
|
|
|
|
|
|
If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed.
|
|
|
|
|
|
|
|
|
|
If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation.
|
|
|
|
|
If you click Disconnect on a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
|
|
|
|
|
@ -1096,14 +1124,14 @@ GP Info:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
Microsoft network client: Digitally sign communications (always)
|
|
|
|
|
|
|
|
|
|
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
|
|
|
|
|
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
|
|
|
|
|
|
|
|
|
|
If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
|
|
|
|
|
|
|
|
|
|
Default: Disabled.
|
|
|
|
|
Default: Disabled
|
|
|
|
|
|
|
|
|
|
> [!Note]
|
|
|
|
|
> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
|
|
|
|
|
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
|
|
|
|
|
> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
|
|
|
|
|
> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
|
|
|
|
|
> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
|
|
|
|
|
@ -1152,11 +1180,11 @@ Microsoft network client: Digitally sign communications (if server agrees)
|
|
|
|
|
|
|
|
|
|
This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
|
|
|
|
|
|
|
|
|
|
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
|
|
|
|
|
The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
|
|
|
|
|
|
|
|
|
|
If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
|
|
|
|
|
|
|
|
|
|
Default: Enabled.
|
|
|
|
|
Default: Enabled
|
|
|
|
|
|
|
|
|
|
> [!Note]
|
|
|
|
|
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
|
|
|
|
|
@ -1212,7 +1240,7 @@ If this security setting is enabled, the Server Message Block (SMB) redirector i
|
|
|
|
|
|
|
|
|
|
Sending unencrypted passwords is a security risk.
|
|
|
|
|
|
|
|
|
|
Default: Disabled.
|
|
|
|
|
Default: Disabled
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1315,9 +1343,9 @@ Microsoft network server: Digitally sign communications (always)
|
|
|
|
|
|
|
|
|
|
This security setting determines whether packet signing is required by the SMB server component.
|
|
|
|
|
|
|
|
|
|
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
|
|
|
|
|
The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
|
|
|
|
|
|
|
|
|
|
If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
|
|
|
|
|
If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client, unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
|
|
|
|
|
|
|
|
|
|
Default: Disabled for member servers. Enabled for domain controllers.
|
|
|
|
|
|
|
|
|
|
@ -1373,7 +1401,7 @@ Microsoft network server: Digitally sign communications (if client agrees)
|
|
|
|
|
|
|
|
|
|
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
|
|
|
|
|
|
|
|
|
|
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
|
|
|
|
|
The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
|
|
|
|
|
|
|
|
|
|
If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
|
|
|
|
|
|
|
|
|
|
@ -1438,8 +1466,8 @@ This security option allows more restrictions to be placed on anonymous connecti
|
|
|
|
|
Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
|
|
|
|
|
Disabled: No extra restrictions. Rely on default permissions.
|
|
|
|
|
|
|
|
|
|
Default on workstations: Enabled.
|
|
|
|
|
Default on server: Enabled.
|
|
|
|
|
Default on workstations: Enabled
|
|
|
|
|
Default on server: Enabled
|
|
|
|
|
|
|
|
|
|
> [!IMPORTANT]
|
|
|
|
|
> This policy has no impact on domain controllers.
|
|
|
|
|
@ -1487,7 +1515,7 @@ This security setting determines whether anonymous enumeration of SAM accounts a
|
|
|
|
|
|
|
|
|
|
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
|
|
|
|
|
|
|
|
|
|
Default: Disabled.
|
|
|
|
|
Default: Disabled
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1530,9 +1558,9 @@ Network access: Restrict anonymous access to Named Pipes and Shares
|
|
|
|
|
|
|
|
|
|
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
|
|
|
|
|
|
|
|
|
|
Network access: Named pipes that can be accessed anonymously
|
|
|
|
|
Network access: Shares that can be accessed anonymously
|
|
|
|
|
Default: Enabled.
|
|
|
|
|
- Network access: Named pipes that can be accessed anonymously.
|
|
|
|
|
- Network access: Shares that can be accessed anonymously.
|
|
|
|
|
- Default: Enabled.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1631,8 +1659,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - Disabled
|
|
|
|
|
- 1 - Enabled (Allow Local System to use computer identity for NTLM.)
|
|
|
|
|
- 0 - Disabled.
|
|
|
|
|
- 1 - Enabled (Allow Local System to use computer identity for NTLM).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -1669,8 +1697,9 @@ Network security: Allow PKU2U authentication requests to this computer to use on
|
|
|
|
|
|
|
|
|
|
This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1681,8 +1710,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled
|
|
|
|
|
- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
|
|
|
|
|
- 0 - disabled.
|
|
|
|
|
- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -1719,9 +1748,8 @@ Network security: Don't store LAN Manager hash value on next password change
|
|
|
|
|
|
|
|
|
|
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Default on Windows Vista and above: Enabled
|
|
|
|
|
Default on Windows XP: Disabled.
|
|
|
|
|
- Default on Windows Vista and above: Enabled
|
|
|
|
|
- Default on Windows XP: Disabled
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1762,27 +1790,27 @@ GP Info:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
Network security LAN Manager authentication level
|
|
|
|
|
|
|
|
|
|
This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
|
|
|
|
|
This security setting determines which challenge/response authentication protocol is used for network logon. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
|
|
|
|
|
|
|
|
|
|
Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
- Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
|
|
|
|
|
Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
- Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
|
|
|
|
|
Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
- Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
|
|
|
|
|
Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
- Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
|
|
|
|
|
|
|
|
|
|
Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
|
|
|
|
|
- Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
|
|
|
|
|
|
|
|
|
|
Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
|
|
|
|
|
- Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
|
|
|
|
|
|
|
|
|
|
Default:
|
|
|
|
|
- Default:
|
|
|
|
|
|
|
|
|
|
windows XP: send LM and NTLM responses
|
|
|
|
|
- windows XP: send LM and NTLM responses.
|
|
|
|
|
|
|
|
|
|
Windows Server 2003: Send NTLM response only
|
|
|
|
|
- Windows Server 2003: Send NTLM response only.
|
|
|
|
|
|
|
|
|
|
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
|
|
|
|
|
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1828,11 +1856,11 @@ This security setting allows a client device to require the negotiation of 128-b
|
|
|
|
|
- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
|
|
|
|
|
- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated.
|
|
|
|
|
|
|
|
|
|
Default:
|
|
|
|
|
- Default:
|
|
|
|
|
|
|
|
|
|
Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
|
|
|
|
|
- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
|
|
|
|
|
|
|
|
|
|
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
|
|
|
|
|
- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1875,14 +1903,15 @@ Network security: Minimum session security for NTLM SSP based (including secure
|
|
|
|
|
|
|
|
|
|
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
|
|
|
|
|
|
|
|
|
|
Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
|
|
|
|
|
Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated.
|
|
|
|
|
- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
|
|
|
|
|
|
|
|
|
|
Default:
|
|
|
|
|
- Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated.
|
|
|
|
|
|
|
|
|
|
Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
|
|
|
|
|
- Default:
|
|
|
|
|
|
|
|
|
|
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
|
|
|
|
|
- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
|
|
|
|
|
|
|
|
|
|
- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -1923,13 +1952,13 @@ GP Info:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
|
|
|
|
|
|
|
|
|
|
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
|
|
|
|
|
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication, if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
|
|
|
|
|
|
|
|
|
|
If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
|
|
|
|
|
|
|
|
|
|
If you don't configure this policy setting, no exceptions will be applied.
|
|
|
|
|
|
|
|
|
|
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character.
|
|
|
|
|
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions, the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2168,10 +2197,12 @@ When this policy is enabled, the Shut Down command is available on the Windows l
|
|
|
|
|
|
|
|
|
|
When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
|
|
|
|
|
|
|
|
|
|
Default on workstations: Enabled.
|
|
|
|
|
Default on servers: Disabled.
|
|
|
|
|
- Default on workstations: Enabled.
|
|
|
|
|
- Default on servers: Disabled.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2182,8 +2213,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled
|
|
|
|
|
- 1 - enabled (allow system to be shut down without having to sign in)
|
|
|
|
|
- 0 - disabled.
|
|
|
|
|
- 1 - enabled (allow system to be shut down without having to sign in).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -2224,7 +2255,7 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh
|
|
|
|
|
|
|
|
|
|
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
|
|
|
|
|
|
|
|
|
|
Default: Disabled.
|
|
|
|
|
Default: Disabled
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2273,7 +2304,9 @@ Disabled: (Default)
|
|
|
|
|
|
|
|
|
|
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2284,8 +2317,8 @@ GP Info:
|
|
|
|
|
<!--/RegistryMapped-->
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
Valid values:
|
|
|
|
|
- 0 - disabled
|
|
|
|
|
- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
|
|
|
|
|
- 0 - disabled.
|
|
|
|
|
- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop).
|
|
|
|
|
|
|
|
|
|
<!--/SupportedValues-->
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
@ -2340,7 +2373,9 @@ The options are:
|
|
|
|
|
|
|
|
|
|
- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2380,9 +2415,12 @@ GP Info:
|
|
|
|
|
<!--/Scope-->
|
|
|
|
|
<!--Description-->
|
|
|
|
|
User Account Control: Behavior of the elevation prompt for standard users
|
|
|
|
|
|
|
|
|
|
This policy setting controls the behavior of the elevation prompt for standard users.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2394,7 +2432,7 @@ GP Info:
|
|
|
|
|
<!--SupportedValues-->
|
|
|
|
|
The following list shows the supported values:
|
|
|
|
|
|
|
|
|
|
- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
|
|
|
|
|
- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user, may choose this setting to reduce help desk calls.
|
|
|
|
|
- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
|
|
|
|
|
- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
|
|
|
|
|
|
|
|
|
|
@ -2435,9 +2473,9 @@ This policy setting controls the behavior of application installation detection
|
|
|
|
|
|
|
|
|
|
The options are:
|
|
|
|
|
|
|
|
|
|
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
|
|
|
|
|
- Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
|
|
|
|
|
|
|
|
|
|
Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
|
|
|
|
|
- Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2478,13 +2516,15 @@ GP Info:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
User Account Control: Only elevate executable files that are signed and validated
|
|
|
|
|
|
|
|
|
|
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
|
|
|
|
|
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run, by adding certificates to the Trusted Publishers certificate store on local computers.
|
|
|
|
|
|
|
|
|
|
The options are:
|
|
|
|
|
- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run.
|
|
|
|
|
- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2525,7 +2565,7 @@ GP Info:
|
|
|
|
|
<!--Description-->
|
|
|
|
|
User Account Control: Only elevate UIAccess applications that are installed in secure locations
|
|
|
|
|
|
|
|
|
|
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations:
|
|
|
|
|
This policy setting controls, whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations:
|
|
|
|
|
|
|
|
|
|
- .\Program Files\, including subfolders
|
|
|
|
|
- .\Windows\system32\
|
|
|
|
|
@ -2538,7 +2578,9 @@ The options are:
|
|
|
|
|
- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
|
|
|
|
|
- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2587,10 +2629,11 @@ The options are:
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced.
|
|
|
|
|
|
|
|
|
|
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
|
|
|
|
|
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2637,7 +2680,9 @@ The options are:
|
|
|
|
|
- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
|
|
|
|
|
- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2727,7 +2772,9 @@ User Account Control: Virtualize file and registry write failures to per-user lo
|
|
|
|
|
|
|
|
|
|
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
|
|
|
|
|
|
|
|
|
|
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
This policy supports the following:
|
|
|
|
|
- Supported value type is integer.
|
|
|
|
|
- Supported operations are Add, Get, Replace, and Delete.
|
|
|
|
|
|
|
|
|
|
<!--/Description-->
|
|
|
|
|
<!--RegistryMapped-->
|
|
|
|
|
@ -2746,5 +2793,8 @@ The following list shows the supported values:
|
|
|
|
|
<!--/Policy-->
|
|
|
|
|
<hr/>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!--/Policies-->
|
|
|
|
|
|
|
|
|
|
## Related topics
|
|
|
|
|
|
|
|
|
|
[Policy configuration service provider](policy-configuration-service-provider.md)
|
|
|
|
|
|
Shesh