diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 406db3df06..0b6035ae0a 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/26/2018
+ms.date: 03/12/2018
---
# Policy DDF file
@@ -95,6 +95,30 @@ The XML below is the DDF for Windows 10, version 1803.
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
RequirePrivateStoreOnly
@@ -7848,6 +7872,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ EnableEndSessionButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
EnableHomeButton
@@ -7966,6 +8014,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DisallowTileNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
Printers
@@ -8284,6 +8356,34 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MSI.admx
+ MSI~AT~WindowsComponents~MSI
+ AlwaysInstallElevated
+ HighestValueMostSecure
+
+
RequirePrivateStoreOnly
@@ -8307,7 +8407,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
WindowsStore.admx
WindowsStore~AT~WindowsComponents~WindowsStore
- RequirePrivateStoreOnly_1
+ RequirePrivateStoreOnly
HighestValueMostSecure
@@ -15167,7 +15267,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation
- IESF_PolicyAllProcesses_9
+ IESF_PolicyExplorerProcesses_9
LastWrite
@@ -15221,7 +15321,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall
- IESF_PolicyAllProcesses_11
+ IESF_PolicyExplorerProcesses_11
LastWrite
@@ -16382,7 +16482,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload
- IESF_PolicyAllProcesses_12
+ IESF_PolicyExplorerProcesses_12
LastWrite
@@ -16409,7 +16509,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions
- IESF_PolicyAllProcesses_8
+ IESF_PolicyExplorerProcesses_8
LastWrite
@@ -16910,6 +17010,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ EnableEndSessionButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
EnableHomeButton
@@ -17032,6 +17157,33 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LowestValueMostSecure
+
+ DisallowTileNotification
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoTileNotification
+ LowestValueMostSecure
+
+
Printers
@@ -18024,6 +18176,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ MSIAllowUserControlOverInstall
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RequirePrivateStoreOnly
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
RestrictAppDataToSystemVolume
@@ -30441,6 +30665,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ EnableEndSessionButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
EnableHomeButton
@@ -30514,6 +30762,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ LanmanWorkstation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableInsecureGuestLogons
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Licensing
@@ -30994,38 +31288,6 @@ Note: Domain controllers are also domain members and establish secure channels w
-
- DomainMember_DigitallySignSecureChannelDataWhenPossible
-
-
-
-
-
-
-
- Domain member: Digitally sign secure channel data (when possible)
-
-This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
-
-Default: Enabled.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
DomainMember_DisableMachineAccountPasswordChanges
@@ -31059,81 +31321,6 @@ This setting should not be used in an attempt to support dual-boot scenarios tha
-
- DomainMember_MaximumMachineAccountPasswordAge
-
-
-
-
-
-
-
- Domain member: Maximum machine account password age
-
-This security setting determines how often a domain member will attempt to change its computer account password.
-
-Default: 30 days.
-
-Important
-
-This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DomainMember_RequireStrongSessionKey
-
-
-
-
-
-
-
- Domain member: Require strong (Windows 2000 or later) session key
-
-This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
-
-Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
-
-Domain member: Digitally encrypt or sign secure channel data (always)
-Domain member: Digitally encrypt secure channel data (when possible)
-Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
-
-If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
-
-Default: Enabled.
-
-Important
-
-In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
-In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -31385,52 +31572,6 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
-
- MicrosoftNetworkClient_DigitallySignCommunicationsAlways
-
-
-
-
-
-
-
- Microsoft network client: Digitally sign communications (always)
-
-This security setting determines whether packet signing is required by the SMB client component.
-
-The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
-
-If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
-
-Default: Disabled.
-
-Important
-
-For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
-
-Notes
-
-All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
-Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
-Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
-Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
-Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
-SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
-For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
@@ -31880,7 +32021,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
- NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
@@ -31888,12 +32029,12 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
- Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
-This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
-Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
-Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
Default:
@@ -31915,7 +32056,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
- NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+ NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
@@ -31923,18 +32064,123 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
- Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
-This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
-Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
-Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
-Default:
+If you do not configure this policy setting, no exceptions will be applied.
-Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
-Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+This policy setting allows you to audit incoming NTLM traffic.
+
+If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+
+If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
+
+If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Incoming NTLM traffic
+
+This policy setting allows you to deny or allow incoming NTLM traffic.
+
+If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+
+If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
+
+
+
+
+
+
+
+ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
+
+If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+
+If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -32721,6 +32967,30 @@ The options are:
+
+ TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
WDigestAuthentication
@@ -43215,6 +43485,89 @@ Because of these factors, users do not usually need this user right. Warning: If
LowestValueMostSecure
+
+ MSIAllowUserControlOverInstall
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MSI.admx
+ MSI~AT~WindowsComponents~MSI
+ EnableUserControl
+ HighestValueMostSecure
+
+
+
+ MSIAlwaysInstallWithElevatedPrivileges
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MSI.admx
+ MSI~AT~WindowsComponents~MSI
+ AlwaysInstallElevated
+ HighestValueMostSecure
+
+
+
+ RequirePrivateStoreOnly
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ RequirePrivateStoreOnly
+ HighestValueMostSecure
+
+
RestrictAppDataToSystemVolume
@@ -55097,7 +55450,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation
- IESF_PolicyAllProcesses_9
+ IESF_PolicyExplorerProcesses_9
LastWrite
@@ -55151,7 +55504,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall
- IESF_PolicyAllProcesses_11
+ IESF_PolicyExplorerProcesses_11
LastWrite
@@ -56312,7 +56665,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload
- IESF_PolicyAllProcesses_12
+ IESF_PolicyExplorerProcesses_12
LastWrite
@@ -56339,7 +56692,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
inetres.admx
inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions
- IESF_PolicyAllProcesses_8
+ IESF_PolicyExplorerProcesses_8
LastWrite
@@ -57022,6 +57375,31 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ EnableEndSessionButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's end session button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
EnableHomeButton
@@ -57098,6 +57476,53 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ LanmanWorkstation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableInsecureGuestLogons
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LanmanWorkstation.admx
+ LanmanWorkstation~AT~Network~Cat_LanmanWorkstation
+ Pol_EnableInsecureGuestLogons
+ LowestValueMostSecure
+
+
+
Licensing
@@ -57614,41 +58039,6 @@ Note: Domain controllers are also domain members and establish secure channels w
LastWrite
-
- DomainMember_DigitallySignSecureChannelDataWhenPossible
-
-
-
-
- 1
- Domain member: Digitally sign secure channel data (when possible)
-
-This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
-
-Default: Enabled.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- Windows Settings~Security Settings~Local Policies~Security Options
- Domain member: Digitally sign secure channel data (when possible)
- LastWrite
-
-
DomainMember_DisableMachineAccountPasswordChanges
@@ -57685,87 +58075,6 @@ This setting should not be used in an attempt to support dual-boot scenarios tha
LastWrite
-
- DomainMember_MaximumMachineAccountPasswordAge
-
-
-
-
- 30
- Domain member: Maximum machine account password age
-
-This security setting determines how often a domain member will attempt to change its computer account password.
-
-Default: 30 days.
-
-Important
-
-This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- Windows Settings~Security Settings~Local Policies~Security Options
- Domain member: Maximum machine account password age
- LowestValueMostSecure
-
-
-
- DomainMember_RequireStrongSessionKey
-
-
-
-
- 1
- Domain member: Require strong (Windows 2000 or later) session key
-
-This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
-
-Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
-
-Domain member: Digitally encrypt or sign secure channel data (always)
-Domain member: Digitally encrypt secure channel data (when possible)
-Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
-
-If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
-
-Default: Enabled.
-
-Important
-
-In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
-In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- Windows Settings~Security Settings~Local Policies~Security Options
- Domain member: Require strong (Windows 2000 or later) session key
- LastWrite
-
-
InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -58039,55 +58348,6 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
LastWrite
-
- MicrosoftNetworkClient_DigitallySignCommunicationsAlways
-
-
-
-
- 0
- Microsoft network client: Digitally sign communications (always)
-
-This security setting determines whether packet signing is required by the SMB client component.
-
-The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
-
-If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
-
-Default: Disabled.
-
-Important
-
-For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
-
-Notes
-
-All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
-Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
-Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
-Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
-Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
-SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
-For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- Windows Settings~Security Settings~Local Policies~Security Options
- Microsoft network client: Digitally sign communications (always)
- LastWrite
-
-
MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
@@ -58571,44 +58831,6 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
HighestValueMostSecure
-
- NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
-
-
-
-
- 0
- Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
-
-This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
-
-Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
-Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
-
-Default:
-
-Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
-
-Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- Windows Settings~Security Settings~Local Policies~Security Options
- Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
- HighestValueMostSecure
-
-
NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
@@ -58647,6 +58869,157 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
HighestValueMostSecure
+
+ NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
+
+
+
+
+
+ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
+
+If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied.
+
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+ LastWrite
+
+
+
+ NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
+
+
+
+
+ 0
+ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+
+This policy setting allows you to audit incoming NTLM traffic.
+
+If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
+
+If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
+
+If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
+
+
+
+
+ 0
+ Network security: Restrict NTLM: Incoming NTLM traffic
+
+This policy setting allows you to deny or allow incoming NTLM traffic.
+
+If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
+
+If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
+
+If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Incoming NTLM traffic
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
+
+
+
+
+ 0
+ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
+
+If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
+
+If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
+
+If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
+
+This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+
+Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+ HighestValueMostSecure
+
+
Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -59472,6 +59845,33 @@ The options are:
LastWrite
+
+ TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0101_WDPUA
+ LastWrite
+
+
WDigestAuthentication