deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

lanmanworkstation licensing localpoliciessecurityoptions

Browse Source
This commit is contained in:
Liz Long 2023-01-03 12:33:25 -05:00
parent 4adc95e399
commit 5a7e0b7f25
3 changed files with 3117 additions and 2943 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
windows/client-management/mdm/policy-csp-lanmanworkstation.md
View File

@ -1,85 +1,100 @@
---
title: Policy CSP - LanmanWorkstation
description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server.
title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- LanmanWorkstation-Begin -->
# Policy CSP - LanmanWorkstation
<hr/>
<!-- LanmanWorkstation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LanmanWorkstation-Editable-End -->
<!--Policies-->
## LanmanWorkstation policies
<!-- EnableInsecureGuestLogons-Begin -->
## EnableInsecureGuestLogons
<dl>
<dd>
<a href="#lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
</dd>
</dl>
<!-- EnableInsecureGuestLogons-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- EnableInsecureGuestLogons-Applicability-End -->
<hr/>
<!-- EnableInsecureGuestLogons-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons
```
<!-- EnableInsecureGuestLogons-OmaUri-End -->
<!--Policy-->
<a href="" id="lanmanworkstation-enableinsecureguestlogons"></a>**LanmanWorkstation/EnableInsecureGuestLogons**
<!-- EnableInsecureGuestLogons-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
<!--SupportedSKUs-->
If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
If you disable this policy setting, the SMB client will reject insecure guest logons.
<!--/SupportedSKUs-->
<hr/>
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access."
<!-- EnableInsecureGuestLogons-Description-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- EnableInsecureGuestLogons-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableInsecureGuestLogons-Editable-End -->
> [!div class = "checklist"]
> * Device
<!-- EnableInsecureGuestLogons-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableInsecureGuestLogons-DFProperties-End -->
<!--/Scope-->
<!--Description-->
This policy setting determines, if the SMB client will allow insecure guest sign in to an SMB server.
<!-- EnableInsecureGuestLogons-AllowedValues-Begin -->
**Allowed values**:
If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign in.
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled |
| 1 | Enabled |
<!-- EnableInsecureGuestLogons-AllowedValues-End -->
If you disable this policy setting, the SMB client will reject insecure guest sign in.
<!-- EnableInsecureGuestLogons-GpMapping-Begin -->
**Group policy mapping**:
Insecure guest sign in are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign in are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication, and don't use insecure guest sign in by default. Since insecure guest sign in are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign in are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign in and configuring file servers to require authenticated access.
| Name | Value |
|:--|:--|
| Name | Pol_EnableInsecureGuestLogons |
| Friendly Name | Enable insecure guest logons |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AllowInsecureGuestAuth |
| ADMX File Name | LanmanWorkstation.admx |
<!-- EnableInsecureGuestLogons-GpMapping-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Enable insecure guest logons*
- GP name: *Pol_EnableInsecureGuestLogons*
- GP path: *Network/Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*
<!-- EnableInsecureGuestLogons-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableInsecureGuestLogons-Examples-End -->
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!-- EnableInsecureGuestLogons-End -->
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!-- LanmanWorkstation-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- LanmanWorkstation-CspMoreInfo-End -->
<!--/Policies-->
<!-- LanmanWorkstation-End -->
## Related topics
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
[Policy configuration service provider](policy-configuration-service-provider.md)

225
windows/client-management/mdm/policy-csp-licensing.md
View File

@ -1,135 +1,166 @@
---
title: Policy CSP - Licensing
description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices.
title: Licensing Policy CSP
description: Learn more about the Licensing Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- Licensing-Begin -->
# Policy CSP - Licensing
<hr/>
<!-- Licensing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Licensing-Editable-End -->
<!--Policies-->
## Licensing policies
<!-- AllowWindowsEntitlementReactivation-Begin -->
## AllowWindowsEntitlementReactivation
<dl>
<dd>
<a href="#licensing-allowwindowsentitlementreactivation">Licensing/AllowWindowsEntitlementReactivation</a>
</dd>
<dd>
<a href="#licensing-disallowkmsclientonlineavsvalidation">Licensing/DisallowKMSClientOnlineAVSValidation</a>
</dd>
</dl>
<!-- AllowWindowsEntitlementReactivation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- AllowWindowsEntitlementReactivation-Applicability-End -->
<hr/>
<!-- AllowWindowsEntitlementReactivation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Licensing/AllowWindowsEntitlementReactivation
```
<!-- AllowWindowsEntitlementReactivation-OmaUri-End -->
<!--Policy-->
<a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**
<!-- AllowWindowsEntitlementReactivation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting controls whether OS Reactivation is blocked on a device.
Policy Options:
- Not Configured (default -- Windows registration and reactivation is allowed)
- Disabled (Windows registration and reactivation is not allowed)
- Enabled (Windows registration is allowed)
<!-- AllowWindowsEntitlementReactivation-Description-End -->
<!--SupportedSKUs-->
<!-- AllowWindowsEntitlementReactivation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowWindowsEntitlementReactivation-Editable-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowWindowsEntitlementReactivation-DFProperties-Begin -->
**Description framework properties**:
<!--/SupportedSKUs-->
<hr/>
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowWindowsEntitlementReactivation-DFProperties-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- AllowWindowsEntitlementReactivation-AllowedValues-Begin -->
**Allowed values**:
> [!div class = "checklist"]
> * Device
| Value | Description |
|:--|:--|
| 0 | Disable Windows license reactivation on managed devices. |
| 1 (Default) | Enable Windows license reactivation on managed devices. |
<!-- AllowWindowsEntitlementReactivation-AllowedValues-End -->
<hr/>
<!-- AllowWindowsEntitlementReactivation-GpMapping-Begin -->
**Group policy mapping**:
<!--/Scope-->
<!--Description-->
Enables or Disable Windows license reactivation on managed devices.
| Name | Value |
|:--|:--|
| Name | AllowWindowsEntitlementReactivation |
| Friendly Name | Control Device Reactivation for Retail devices |
| Location | Computer Configuration |
| Path | Windows Components > Software Protection Platform |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform |
| Registry Value Name | AllowWindowsEntitlementReactivation |
| ADMX File Name | AVSValidationGP.admx |
<!-- AllowWindowsEntitlementReactivation-GpMapping-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Control Device Reactivation for Retail devices*
- GP name: *AllowWindowsEntitlementReactivation*
- GP path: *Windows Components/Software Protection Platform*
- GP ADMX file name: *AVSValidationGP.admx*
<!-- AllowWindowsEntitlementReactivation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowWindowsEntitlementReactivation-Examples-End -->
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
<!-- AllowWindowsEntitlementReactivation-End -->
- 0 Disable Windows license reactivation on managed devices.
- 1 (default) Enable Windows license reactivation on managed devices.
<!-- DisallowKMSClientOnlineAVSValidation-Begin -->
## DisallowKMSClientOnlineAVSValidation
<!--/SupportedValues-->
<!--/Policy-->
<!-- DisallowKMSClientOnlineAVSValidation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- DisallowKMSClientOnlineAVSValidation-Applicability-End -->
<hr/>
<!-- DisallowKMSClientOnlineAVSValidation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Licensing/DisallowKMSClientOnlineAVSValidation
```
<!-- DisallowKMSClientOnlineAVSValidation-OmaUri-End -->
<!--Policy-->
<a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**
<!-- DisallowKMSClientOnlineAVSValidation-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
If you disable or do not configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates.
Policy Options:
- Not Configured (default -- data will be automatically sent to Microsoft)
- Disabled (data will be automatically sent to Microsoft)
- Enabled (data will not be sent to Microsoft)
<!-- DisallowKMSClientOnlineAVSValidation-Description-End -->
<!--SupportedSKUs-->
<!-- DisallowKMSClientOnlineAVSValidation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisallowKMSClientOnlineAVSValidation-Editable-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisallowKMSClientOnlineAVSValidation-DFProperties-Begin -->
**Description framework properties**:
<!--/SupportedSKUs-->
<hr/>
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisallowKMSClientOnlineAVSValidation-DFProperties-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- DisallowKMSClientOnlineAVSValidation-AllowedValues-Begin -->
**Allowed values**:
> [!div class = "checklist"]
> * Device
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- DisallowKMSClientOnlineAVSValidation-AllowedValues-End -->
<hr/>
<!-- DisallowKMSClientOnlineAVSValidation-GpMapping-Begin -->
**Group policy mapping**:
<!--/Scope-->
<!--Description-->
Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
| Name | Value |
|:--|:--|
| Name | NoAcquireGT |
| Friendly Name | Turn off KMS Client Online AVS Validation |
| Location | Computer Configuration |
| Path | Windows Components > Software Protection Platform |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform |
| Registry Value Name | NoGenTicket |
| ADMX File Name | AVSValidationGP.admx |
<!-- DisallowKMSClientOnlineAVSValidation-GpMapping-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn off KMS Client Online AVS Validation*
- GP name: *NoAcquireGT*
- GP path: *Windows Components/Software Protection Platform*
- GP ADMX file name: *AVSValidationGP.admx*
<!-- DisallowKMSClientOnlineAVSValidation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisallowKMSClientOnlineAVSValidation-Examples-End -->
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
<!-- DisallowKMSClientOnlineAVSValidation-End -->
- 0 (default) Disabled
- 1 Enabled
<!-- Licensing-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Licensing-CspMoreInfo-End -->
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!-- Licensing-End -->
## Related articles
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)
[Policy configuration service provider](policy-configuration-service-provider.md)

5706
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

File diff suppressed because it is too large Load Diff