Policy path | |
|---|---|
Policy name | Value |
+
Admin Templates > Control Panel > Personalization |
+|
Prevent enabling lock screen slide show | Enabled |
+
Prevent changing lock screen and logon image | Enabled |
+
Admin Templates > System > Power Management > Button Settings |
+|
Select the Power button action (plugged in) | Sleep |
+
Select the Power button action (on battery) | Sleep |
+
Select the Sleep button action (plugged in) | Sleep |
+
Select the lid switch action (plugged in) | Sleep |
+
Select the lid switch action (on battery) | Sleep |
+
Admin Templates > System > Power Management > Sleep Settings |
+|
Require a password when a computer wakes (plugged in) | Enabled |
+
Require a password when a computer wakes (on battery) | Enabled |
+
Specify the system sleep timeout (plugged in) | 1 hour |
+
Specify the system sleep timeout (on battery) | 1 hour |
+
| Turn off hybrid sleep (plugged in) | Enabled |
+
| Turn off hybrid sleep (on battery) | Enabled |
+
| Specify the unattended sleep timeout (plugged in) | 1 hour |
+
| Specify the unattended sleep timeout (on battery) | 1 hour |
+
| Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
+
| Allow standby states (S1-S3) when sleeping (on battery) | Enabled |
+
| Specify the system hibernate timeout (plugged in) | Enabled, 0 |
+
| Specify the system hibernate timeout (on battery) | Enabled, 0 |
+
| Admin Templates > System > Power Management > Video and Display Settings | |
| Turn off the display (plugged in) | 1 hour |
+
| Turn off the display (on battery | 1 hour |
+
| Admin Templates > System > Logon |
+|
| Show first sign-in animation | Disabled |
+
| Hide entry points for Fast User Switching | Enabled |
+
| Turn on convenience PIN sign-in | Disabled |
+
| Turn off picture password sign-in | Enabled |
+
| Turn off app notification on the lock screen | Enabled |
+
| Allow users to select when a password is required when resuming from connected standby | Disabled |
+
| Block user from showing account details on sign-in | Enabled |
+
| Admin Templates > System > User Profiles |
+|
| Turn off the advertising ID | Enabled |
+
| Admin Templates > Windows Components |
+|
| Do not show Windows Tips | Enabled |
+
| Turn off Microsoft consumer experiences | Enabled |
+
| Microsoft Passport for Work | Disabled |
+
| Prevent the usage of OneDrive for file storage | Enabled |
+
| Admin Templates > Windows Components > Biometrics |
+|
| Allow the use of biometrics | Disabled |
+
| Allow users to log on using biometrics | Disabled |
+
| Allow domain users to log on using biometrics | Disabled |
+
| Admin Templates > Windows Components > Data Collection and Preview Builds |
+|
| Toggle user control over Insider builds | Disabled |
+
| Disable pre-release features or settings | Disabled |
+
| Do not show feedback notifications | Enabled |
+
| Admin Templates > Windows Components > File Explorer |
+|
| Show lock in the user tile menu | Disabled |
+
| Admin Templates > Windows Components > Maintenance Scheduler |
+|
| Automatic Maintenance Activation Boundary | 12am |
+
| Automatic Maintenance Random Delay | Enabled, 2 hours |
+
| Automatic Maintenance WakeUp Policy | Enabled |
+
| Admin Templates > Windows Components > Microsoft Edge |
+|
| Open a new tab with an empty tab | Disabled |
+
| Configure corporate home pages | Enabled, about:blank |
+
| Admin Templates > Windows Components > Search |
+|
| Allow Cortana | Disabled |
+
| Windows Settings > Security Settings > Local Policies > Security Options |
+|
| Interactive logon: Do not display last user name | Enabled |
+
| Interactive logon: Sign-in last interactive user automatically after a system-initiated restart | Disabled |
+
| Shutdown: Allow system to be shut down without having to log on | Disabled |
+
| User Account Control: Behavior of the elevation prompt for standard users | Auto deny |
+
| Purpose | -Name | -User | -Rule condition type | -
|---|---|---|---|
Allow members of the local Administrators group access to run all executable files |
-(Default Rule) All files |
-BUILTIN\Administrators |
-Path: * |
-
Allow all users to run executable files in the Windows folder |
-(Default Rule) All files located in the Windows folder |
-Everyone |
-Path: %windir%\* |
-
Allow all users to run executable files in the Program Files folder |
-(Default Rule) All files located in the Program Files folder |
-Everyone |
-Path: %programfiles%\* |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators |
-
Domain Controller Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators |
-
Client Computer Effective Default Settings |
-Administrators |
-
| Value Data | -Setting | -
|---|---|
0 |
-None |
-
2 |
-Delegated |
-
4 |
-Full |
-
| State | -Description | -
|---|---|
Enabled |
-Most features of the TPM are available. -The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken. |
-
Disabled |
-The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization. -The TPM can be enabled and disabled multiple times within a start-up period. |
-
Activated |
-Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart. |
-
Deactivated |
-Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart. |
-
Owned |
-Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data. |
-
Unowned |
-The TPM does not have a storage root key, and it may or may not have an endorsement key. |
-
| Event ID: 1000 | @@ -3257,8 +3268,8 @@ article.
|---|
| TPM version | -Windows 10 | -Windows Server 2012 R2, Windows 8.1, and Windows RT | -Windows Server 2012, Windows 8, and Windows RT | -Windows Server 2008 R2 and Windows 7 | -
|---|---|---|---|---|
TPM 1.2 |
-X |
-X |
-X |
-X |
-
TPM 2.0 |
-X |
-X |
-X |
-X |
-
| Setting | -Windows 10 | -Windows Server 2012 R2, Windows 8.1 and Windows RT | -Windows Server 2012, Windows 8 and Windows RT | -Windows Server 2008 R2 and Windows 7 | -Windows Server 2008 and Windows Vista | -
|---|---|---|---|---|---|
[Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) |
-X |
-X |
-X |
-X |
-X |
-
[Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc) |
-X |
-X |
-X |
-X |
-X |
-
[Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) |
-X |
-X |
-X |
-X |
-X |
-
[Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) |
-X |
-X |
-X |
-X |
-X |
-
[Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos) |
-X |
-X |
-X |
-- | - |
[Standard User Lockout Duration](#bkmk-tpmgp-suld) |
-X |
-X |
-X |
-- | - |
[Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt) |
-X |
-X |
-X |
-- | - |
[Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt) |
-X |
-X |
-X |
-- | - |
| Value Data | -Setting | -
|---|---|
0 |
-None |
-
2 |
-Delegated |
-
4 |
-Full |
-
| Enforcement setting | -Description | -
|---|---|
Not configured |
-By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the Not configured value. |
-
Enforce rules |
-Rules are enforced for the rule collection, and all rule events are audited. |
-
Audit only |
-Rule events are audited only. Use this value when planning and testing AppLocker rules. |
-
| Possible answers | -Design considerations | -
|---|---|
Control all apps |
-AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md). |
-
Control specific apps |
-When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md). |
-
Control only Classic Windows applications, only Universal Windows apps, or both |
-AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps. -For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic. |
-
Control apps by business group and user |
-AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users. |
-
Control apps by computer, not user |
-AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements. |
-
Understand app usage, but there is no need to control any apps yet |
-AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies. |
-
| Possible answers | -Design considerations | -
|---|---|
Security polices (locally set or through Group Policy) |
-Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method. |
-
Non-Microsoft app control software |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
Managed usage by group or OU |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
Authorization Manager or other role-based access technologies |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
Other |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes - |
-For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment. -If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups. |
-
No |
-AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible. |
-
No |
-Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. |
-
No |
-Invest time in developing online support processes and documentation before deployment. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. |
-
No |
-You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in Audit only mode, and tools to view the event logs. |
-
| Possible answers | -Design considerations | -
|---|---|
Ad hoc |
-You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls. |
-
Strict written policy or guidelines to follow |
-You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. |
-
No process in place |
-You need to determine if you have the resources to develop an application control policy, and for which groups. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems. -
-Note
-
-If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems. -
-
- |
-
No |
-Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. |
-
| Possible answers | -Design considerations | -
|---|---|
Productivity: The organization assures that tools work and required applications can be installed. |
-To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. |
-
Management: The organization is aware of and controls the apps it supports. |
-In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps |
-
Security: The organization must protect data in part by ensuring that only approved apps are used. |
-AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive. |
-
| Possible answers | -Design considerations | -
|---|---|
Users run without administrative rights. -Apps are installed by using an installation deployment technology. |
-AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information. -
-Note
-
-AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy. -
-
- |
-
Users must be able to install applications as needed. -Users currently have administrator access, and it would be difficult to change this. |
-Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the Audit only enforcement setting through AppLocker. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure. |
-
No |
-The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer. |
-
| Rule condition | -Security concern with deny action | -
|---|---|
Publisher |
-A user could modify the properties of a file (for example, re-signing the file with a different certificate). |
-
File hash |
-A user could modify the hash for a file. |
-
Path |
-A user could move the denied file to a different location and run it from there. |
-
| Topic | -Description | -
|---|---|
[Executable rules in AppLocker](executable-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the executable rule collection. |
-
[Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the Windows Installer rule collection. |
-
[Script rules in AppLocker](script-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the script rule collection. |
-
[DLL rules in AppLocker](dll-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the DLL rule collection. |
-
[Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) |
-This topic explains the AppLocker rule collection for packaged app installers and packaged apps. |
-
| File hash condition advantages | -File hash condition disadvantages | -
|---|---|
Because each file has a unique hash, a file hash condition applies to only one file. |
-Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules. |
-
| Windows directory or drive | -AppLocker path variable | -Windows environment variable | -
|---|---|---|
Windows |
-%WINDIR% |
-%SystemRoot% |
-
System32 |
-%SYSTEM32% |
-%SystemDirectory% |
-
Windows installation directory |
-%OSDRIVE% |
-%SystemDrive% |
-
Program Files |
-%PROGRAMFILES% |
-%ProgramFiles% and %ProgramFiles(x86)% |
-
Removable media (for example, CD or DVD) |
-%REMOVABLE% |
-- |
Removable storage device (for example, USB flash drive) |
-%HOT% |
-- |
| Option | -The publisher condition allows or denies… | -
|---|---|
All signed files |
-All files that are signed by a publisher. |
-
Publisher only |
-All files that are signed by the named publisher. |
-
Publisher and product name |
-All files for the specified product that are signed by the named publisher. |
-
Publisher, product name, and file name |
-Any version of the named file for the named product that is signed by the publisher. |
-
Publisher, product name, file name, and file version |
-Exactly -The specified version of the named file for the named product that is signed by the publisher. |
-
Publisher, product name, file name, and file version |
-And above -The specified version of the named file and any new releases for the product that are signed by the publisher. |
-
Publisher, product name, file name, and file version |
-And below -The specified version of the named file and any older versions for the product that are signed by the publisher. |
-
Custom |
-You can edit the Publisher, Product name, File name, and Version fields to create a custom rule. |
-