deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Changes per Nick's notes.

Browse Source
This commit is contained in:
Vinay Pamnani 2023-01-03 17:10:40 -05:00
parent 7f413184a1
commit aa124a3465
10 changed files with 986 additions and 502 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -98,7 +98,6 @@ If you disable this setting, the system will need to be unlocked for the user to
<!-- AllowCortanaAboveLock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Added in Windows 10, version 1607.
<!-- AllowCortanaAboveLock-Editable-End -->
<!-- AllowCortanaAboveLock-DFProperties-Begin -->

3
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -146,7 +146,6 @@ Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant
<!-- AllowMicrosoftAccountSignInAssistant-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Added in Windows 10, version 1703.
<!-- AllowMicrosoftAccountSignInAssistant-Editable-End -->
<!-- AllowMicrosoftAccountSignInAssistant-DFProperties-Begin -->
@ -234,7 +233,7 @@ This setting determines whether to only allow enterprise device authentication f
<!-- RestrictToEnterpriseDeviceAuthenticationOnly-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Added in Windows 11, version 22H2. Most restricted value is 1.
Most restricted value is 1.
<!-- RestrictToEnterpriseDeviceAuthenticationOnly-Editable-End -->
<!-- RestrictToEnterpriseDeviceAuthenticationOnly-DFProperties-Begin -->

1
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -194,7 +194,6 @@ If users try to select a Control Panel item from the Properties item on a contex
<!-- NoControlPanel-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Available in the latest Windows 10 Insider Preview Build.
<!-- NoControlPanel-Editable-End -->
<!-- NoControlPanel-DFProperties-Begin -->

3
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -240,7 +240,6 @@ If you disable or do not configure this policy setting, users that are not requi
<!-- CPL_Personalization_NoLockScreen-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Available in the latest Windows 10 Insider Preview Build.
<!-- CPL_Personalization_NoLockScreen-Editable-End -->
<!-- CPL_Personalization_NoLockScreen-DFProperties-Begin -->
@ -364,7 +363,6 @@ If you disable or do not configure this setting, the default theme will be appli
<!-- CPL_Personalization_SetTheme-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Available in the latest Windows 10 Insider Preview Build.
<!-- CPL_Personalization_SetTheme-Editable-End -->
<!-- CPL_Personalization_SetTheme-DFProperties-Begin -->
@ -1099,7 +1097,6 @@ If you enable this setting, none of the mouse pointer scheme settings can be cha
<!-- CPL_Personalization_NoMousePointersUI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Available in the latest Windows 10 Insider Preview Build.
<!-- CPL_Personalization_NoMousePointersUI-Editable-End -->
<!-- CPL_Personalization_NoMousePointersUI-DFProperties-Begin -->

1
windows/client-management/mdm/policy-csp-admx-credui.md
View File

@ -111,7 +111,6 @@ If you turn this policy setting on, local users wont be able to set up and us
<!-- NoLocalPasswordResetQuestions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Available in the latest Windows 10 Insider Preview Build.
<!-- NoLocalPasswordResetQuestions-Editable-End -->
<!-- NoLocalPasswordResetQuestions-DFProperties-Begin -->

12
windows/client-management/mdm/policy-csp-admx-eaime.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_EAIME Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 12/21/2022
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -52,7 +52,7 @@ If you disable or do not configure this policy setting, both Publishing Standard
This policy setting applies to Japanese Microsoft IME only.
Note: Changes to this setting will not take effect until the user logs off.
**Note**: Changes to this setting will not take effect until the user logs off.
<!-- L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList-Description-End -->
<!-- L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList-Editable-Begin -->
@ -128,7 +128,7 @@ If you disable or do not configure this policy setting, no range of characters a
This policy setting applies to Japanese Microsoft IME only.
Note: Changes to this setting will not take effect until the user logs off.
**Note**: Changes to this setting will not take effect until the user logs off.
<!-- L_RestrictCharacterCodeRangeOfConversion-Description-End -->
<!-- L_RestrictCharacterCodeRangeOfConversion-Editable-Begin -->
@ -195,7 +195,7 @@ If you disable or do not configure this policy setting, the custom dictionary ca
This policy setting is applied to Japanese Microsoft IME.
Note: Changes to this setting will not take effect until the user logs off.
**Note**: Changes to this setting will not take effect until the user logs off.
<!-- L_TurnOffCustomDictionary-Description-End -->
<!-- L_TurnOffCustomDictionary-Editable-Begin -->
@ -259,7 +259,7 @@ If you disable or do not configure this policy setting, history-based predictive
This policy setting applies to Japanese Microsoft IME only.
Note: Changes to this setting will not take effect until the user logs off.
**Note**: Changes to this setting will not take effect until the user logs off.
<!-- L_TurnOffHistorybasedPredictiveInput-Description-End -->
<!-- L_TurnOffHistorybasedPredictiveInput-Editable-Begin -->
@ -325,7 +325,7 @@ If you disable or do not configure this policy setting, the search integration f
This policy setting applies to Japanese Microsoft IME.
Note: Changes to this setting will not take effect until the user logs off.
**Note**: Changes to this setting will not take effect until the user logs off.
<!-- L_TurnOffInternetSearchIntegration-Description-End -->
<!-- L_TurnOffInternetSearchIntegration-Editable-Begin -->

1
windows/client-management/mdm/policy-csp-admx-explorer.md
View File

@ -170,7 +170,6 @@ Note: When the menu bar is not displayed, users can access the menu bar by press
<!-- AlwaysShowClassicMenu-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Available in the latest Windows 10 Insider Preview Build.
<!-- AlwaysShowClassicMenu-Editable-End -->
<!-- AlwaysShowClassicMenu-DFProperties-Begin -->

212
windows/client-management/mdm/policy-csp-admx-framepanes.md
View File

@ -1,139 +1,161 @@
---
title: Policy CSP - ADMX_FramePanes
description: Learn about the Policy CSP - ADMX_FramePanes.
title: ADMX_FramePanes Policy CSP
description: Learn more about the ADMX_FramePanes Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_FramePanes-Begin -->
# Policy CSP - ADMX_FramePanes
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_FramePanes policies
<!-- ADMX_FramePanes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_FramePanes-Editable-End -->
<dl>
<dd>
<a href="#admx-framepanes-noreadingpane">ADMX_FramePanes/NoReadingPane</a>
</dd>
<dd>
<a href="#admx-framepanes-nopreviewpane">ADMX_FramePanes/NoPreviewPane</a>
</dd>
</dl>
<!-- NoPreviewPane-Begin -->
## NoPreviewPane
<!-- NoPreviewPane-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- NoPreviewPane-Applicability-End -->
<hr/>
<!-- NoPreviewPane-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_FramePanes/NoPreviewPane
```
<!-- NoPreviewPane-OmaUri-End -->
<!--Policy-->
<a href="" id="admx-framepanes-noreadingpane"></a>**ADMX_FramePanes/NoReadingPane**
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
<!-- NoPreviewPane-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting shows or hides the Details Pane in File Explorer.
If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user.
If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.
If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user.
If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user.
> [!NOTE]
> This has a side effect of not being able to toggle to the Preview Pane since the two can't be displayed at the same time.
**Note**: This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time.
If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user.
If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. This is the default policy setting.
<!-- NoPreviewPane-Description-End -->
This setting is the default policy setting.
<!-- NoPreviewPane-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NoPreviewPane-Editable-End -->
<!--/Description-->
<!-- NoPreviewPane-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn on or off details pane*
- GP name: *NoReadingPane*
- GP path: *Windows Components\File Explorer\Explorer Frame Pane*
- GP ADMX file name: *FramePanes.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- NoPreviewPane-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- NoPreviewPane-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="admx-framepanes-nopreviewpane"></a>**ADMX_FramePanes/NoPreviewPane**
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | NoPreviewPane |
| Friendly Name | Turn on or off details pane |
| Location | User Configuration |
| Path | WindowsComponents > File Explorer > Explorer Frame Pane |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| ADMX File Name | FramePanes.admx |
<!-- NoPreviewPane-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- NoPreviewPane-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- NoPreviewPane-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- NoPreviewPane-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- NoReadingPane-Begin -->
## NoReadingPane
> [!div class = "checklist"]
> * User
<!-- NoReadingPane-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- NoReadingPane-Applicability-End -->
<hr/>
<!-- NoReadingPane-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_FramePanes/NoReadingPane
```
<!-- NoReadingPane-OmaUri-End -->
<!--/Scope-->
<!--Description-->
<!-- NoReadingPane-Description-Begin -->
<!-- Description-Source-ADMX -->
Hides the Preview Pane in File Explorer.
If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user.
If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user.
If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!-- NoReadingPane-Description-End -->
<!--/Description-->
<!-- NoReadingPane-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NoReadingPane-Editable-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off Preview Pane*
- GP name: *NoPreviewPane*
- GP path: *Windows Components\File Explorer\Explorer Frame Pane*
- GP ADMX file name: *FramePanes.admx*
<!-- NoReadingPane-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXBacked-->
<!--/Policy-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- NoReadingPane-DFProperties-End -->
<!--/Policies-->
<!-- NoReadingPane-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
## Related topics
**ADMX mapping**:
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
| Name | Value |
|:--|:--|
| Name | NoReadingPane |
| Friendly Name | Turn off Preview Pane |
| Location | User Configuration |
| Path | WindowsComponents > File Explorer > Explorer Frame Pane |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | NoReadingPane |
| ADMX File Name | FramePanes.admx |
<!-- NoReadingPane-AdmxBacked-End -->
<!-- NoReadingPane-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- NoReadingPane-Examples-End -->
<!-- NoReadingPane-End -->
<!-- ADMX_FramePanes-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_FramePanes-CspMoreInfo-End -->
<!-- ADMX_FramePanes-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

667
windows/client-management/mdm/policy-csp-admx-iscsi.md
View File

@ -1,183 +1,604 @@
---
title: Policy CSP - ADMX_iSCSI
description: Learn about the Policy CSP - ADMX_iSCSI.
title: ADMX_iSCSI Policy CSP
description: Learn more about the ADMX_iSCSI Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 12/17/2020
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_iSCSI-Begin -->
# Policy CSP - ADMX_iSCSI
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!-- ADMX_iSCSI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_iSCSI-Editable-End -->
<!--Policies-->
## ADMX_iSCSI policies
<!-- iSCSIDiscovery_ConfigureiSNSServers-Begin -->
## iSCSIDiscovery_ConfigureiSNSServers
<dl>
<dd>
<a href="#admx-iscsi-iscsigeneral_restrictadditionallogins">ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins</a>
</dd>
<dd>
<a href="#admx-iscsi-iscsigeneral_changeiqnname">ADMX_iSCSI/iSCSIGeneral_ChangeIQNName</a>
</dd>
<dd>
<a href="#admx-iscsi-iscsisecurity_changechapsecret">ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret</a>
</dd>
</dl>
<!-- iSCSIDiscovery_ConfigureiSNSServers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSIDiscovery_ConfigureiSNSServers-Applicability-End -->
<!-- iSCSIDiscovery_ConfigureiSNSServers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureiSNSServers
```
<!-- iSCSIDiscovery_ConfigureiSNSServers-OmaUri-End -->
<hr/>
<!-- iSCSIDiscovery_ConfigureiSNSServers-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed.
<!-- iSCSIDiscovery_ConfigureiSNSServers-Description-End -->
<!--Policy-->
<a href="" id="admx-iscsi-iscsigeneral_restrictadditionallogins"></a>**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins**
<!-- iSCSIDiscovery_ConfigureiSNSServers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSIDiscovery_ConfigureiSNSServers-Editable-End -->
<!--SupportedSKUs-->
<!-- iSCSIDiscovery_ConfigureiSNSServers-DFProperties-Begin -->
**Description framework properties**:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSIDiscovery_ConfigureiSNSServers-DFProperties-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- iSCSIDiscovery_ConfigureiSNSServers-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
**ADMX mapping**:
> [!div class = "checklist"]
> * Device
| Name | Value |
|:--|:--|
| Name | iSCSIDiscovery_ConfigureiSNSServers |
| Friendly Name | Do not allow manual configuration of iSNS servers |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Target Discovery |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | ConfigureiSNSServers |
| ADMX File Name | iSCSI.admx |
<!-- iSCSIDiscovery_ConfigureiSNSServers-AdmxBacked-End -->
<hr/>
<!-- iSCSIDiscovery_ConfigureiSNSServers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSIDiscovery_ConfigureiSNSServers-Examples-End -->
<!--/Scope-->
<!--Description-->
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed.
<!-- iSCSIDiscovery_ConfigureiSNSServers-End -->
If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed.
<!-- iSCSIDiscovery_ConfigureTargetPortals-Begin -->
## iSCSIDiscovery_ConfigureTargetPortals
<!-- iSCSIDiscovery_ConfigureTargetPortals-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSIDiscovery_ConfigureTargetPortals-Applicability-End -->
<!--/Description-->
<!-- iSCSIDiscovery_ConfigureTargetPortals-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureTargetPortals
```
<!-- iSCSIDiscovery_ConfigureTargetPortals-OmaUri-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow manual configuration of iSNS servers*
- GP name: *iSCSIGeneral_RestrictAdditionalLogins*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
<!-- iSCSIDiscovery_ConfigureTargetPortals-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed.
<!-- iSCSIDiscovery_ConfigureTargetPortals-Description-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- iSCSIDiscovery_ConfigureTargetPortals-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSIDiscovery_ConfigureTargetPortals-Editable-End -->
<!--Policy-->
<a href="" id="admx-iscsi-iscsigeneral_changeiqnname"></a>**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName**
<!-- iSCSIDiscovery_ConfigureTargetPortals-DFProperties-Begin -->
**Description framework properties**:
<!--SupportedSKUs-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSIDiscovery_ConfigureTargetPortals-DFProperties-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- iSCSIDiscovery_ConfigureTargetPortals-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--/SupportedSKUs-->
<hr/>
**ADMX mapping**:
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
| Name | Value |
|:--|:--|
| Name | iSCSIDiscovery_ConfigureTargetPortals |
| Friendly Name | Do not allow manual configuration of target portals |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Target Discovery |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | ConfigureTargetPortals |
| ADMX File Name | iSCSI.admx |
<!-- iSCSIDiscovery_ConfigureTargetPortals-AdmxBacked-End -->
> [!div class = "checklist"]
> * Device
<!-- iSCSIDiscovery_ConfigureTargetPortals-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSIDiscovery_ConfigureTargetPortals-Examples-End -->
<hr/>
<!-- iSCSIDiscovery_ConfigureTargetPortals-End -->
<!--/Scope-->
<!--Description-->
If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed.
<!-- iSCSIDiscovery_ConfigureTargets-Begin -->
## iSCSIDiscovery_ConfigureTargets
If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed.
<!-- iSCSIDiscovery_ConfigureTargets-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSIDiscovery_ConfigureTargets-Applicability-End -->
<!--/Description-->
<!-- iSCSIDiscovery_ConfigureTargets-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureTargets
```
<!-- iSCSIDiscovery_ConfigureTargets-OmaUri-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow manual configuration of target portals*
- GP name: *iSCSIGeneral_ChangeIQNName*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
<!-- iSCSIDiscovery_ConfigureTargets-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured.
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
**Note**: if enabled there may be cases where this will break VDS.
<!-- iSCSIDiscovery_ConfigureTargets-Description-End -->
<!--Policy-->
<a href="" id="admx-iscsi-iscsisecurity_changechapsecret"></a>**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret**
<!-- iSCSIDiscovery_ConfigureTargets-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSIDiscovery_ConfigureTargets-Editable-End -->
<!--SupportedSKUs-->
<!-- iSCSIDiscovery_ConfigureTargets-DFProperties-Begin -->
**Description framework properties**:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSIDiscovery_ConfigureTargets-DFProperties-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- iSCSIDiscovery_ConfigureTargets-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
**ADMX mapping**:
> [!div class = "checklist"]
> * Device
| Name | Value |
|:--|:--|
| Name | iSCSIDiscovery_ConfigureTargets |
| Friendly Name | Do not allow manual configuration of discovered targets |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Target Discovery |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | ConfigureTargets |
| ADMX File Name | iSCSI.admx |
<!-- iSCSIDiscovery_ConfigureTargets-AdmxBacked-End -->
<hr/>
<!-- iSCSIDiscovery_ConfigureTargets-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSIDiscovery_ConfigureTargets-Examples-End -->
<!--/Scope-->
<!--Description-->
If enabled then don't allow the initiator CHAP secret to be changed.
<!-- iSCSIDiscovery_ConfigureTargets-End -->
If disabled then the initiator CHAP secret may be changed.
<!-- iSCSIDiscovery_NewStaticTargets-Begin -->
## iSCSIDiscovery_NewStaticTargets
<!--/Description-->
<!-- iSCSIDiscovery_NewStaticTargets-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSIDiscovery_NewStaticTargets-Applicability-End -->
<!-- iSCSIDiscovery_NewStaticTargets-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_NewStaticTargets
```
<!-- iSCSIDiscovery_NewStaticTargets-OmaUri-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow changes to initiator CHAP secret*
- GP name: *iSCSISecurity_ChangeCHAPSecret*
- GP path: *System\iSCSI\iSCSI Security*
- GP ADMX file name: *iSCSI.admx*
<!-- iSCSIDiscovery_NewStaticTargets-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured.
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
**Note**: if enabled there may be cases where this will break VDS.
<!-- iSCSIDiscovery_NewStaticTargets-Description-End -->
<!-- iSCSIDiscovery_NewStaticTargets-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSIDiscovery_NewStaticTargets-Editable-End -->
<!--/Policies-->
<!-- iSCSIDiscovery_NewStaticTargets-DFProperties-Begin -->
**Description framework properties**:
## Related topics
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSIDiscovery_NewStaticTargets-DFProperties-End -->
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
<!-- iSCSIDiscovery_NewStaticTargets-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSIDiscovery_NewStaticTargets |
| Friendly Name | Do not allow adding new targets via manual configuration |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Target Discovery |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | NewStaticTargets |
| ADMX File Name | iSCSI.admx |
<!-- iSCSIDiscovery_NewStaticTargets-AdmxBacked-End -->
<!-- iSCSIDiscovery_NewStaticTargets-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSIDiscovery_NewStaticTargets-Examples-End -->
<!-- iSCSIDiscovery_NewStaticTargets-End -->
<!-- iSCSIGeneral_ChangeIQNName-Begin -->
## iSCSIGeneral_ChangeIQNName
<!-- iSCSIGeneral_ChangeIQNName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSIGeneral_ChangeIQNName-Applicability-End -->
<!-- iSCSIGeneral_ChangeIQNName-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIGeneral_ChangeIQNName
```
<!-- iSCSIGeneral_ChangeIQNName-OmaUri-End -->
<!-- iSCSIGeneral_ChangeIQNName-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed.
<!-- iSCSIGeneral_ChangeIQNName-Description-End -->
<!-- iSCSIGeneral_ChangeIQNName-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSIGeneral_ChangeIQNName-Editable-End -->
<!-- iSCSIGeneral_ChangeIQNName-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSIGeneral_ChangeIQNName-DFProperties-End -->
<!-- iSCSIGeneral_ChangeIQNName-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSIGeneral_ChangeIQNName |
| Friendly Name | Do not allow changes to initiator iqn name |
| Location | Computer Configuration |
| Path | System > iSCSI > General iSCSI |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | ChangeIQNName |
| ADMX File Name | iSCSI.admx |
<!-- iSCSIGeneral_ChangeIQNName-AdmxBacked-End -->
<!-- iSCSIGeneral_ChangeIQNName-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSIGeneral_ChangeIQNName-Examples-End -->
<!-- iSCSIGeneral_ChangeIQNName-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-Begin -->
## iSCSIGeneral_RestrictAdditionalLogins
<!-- iSCSIGeneral_RestrictAdditionalLogins-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSIGeneral_RestrictAdditionalLogins-Applicability-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins
```
<!-- iSCSIGeneral_RestrictAdditionalLogins-OmaUri-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established.
<!-- iSCSIGeneral_RestrictAdditionalLogins-Description-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-Editable-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSIGeneral_RestrictAdditionalLogins-DFProperties-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSIGeneral_RestrictAdditionalLogins |
| Friendly Name | Do not allow additional session logins |
| Location | Computer Configuration |
| Path | System > iSCSI > General iSCSI |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | RestrictAdditionalLogins |
| ADMX File Name | iSCSI.admx |
<!-- iSCSIGeneral_RestrictAdditionalLogins-AdmxBacked-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-Examples-End -->
<!-- iSCSIGeneral_RestrictAdditionalLogins-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-Begin -->
## iSCSISecurity_ChangeCHAPSecret
<!-- iSCSISecurity_ChangeCHAPSecret-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSISecurity_ChangeCHAPSecret-Applicability-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret
```
<!-- iSCSISecurity_ChangeCHAPSecret-OmaUri-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed.
<!-- iSCSISecurity_ChangeCHAPSecret-Description-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSISecurity_ChangeCHAPSecret-Editable-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSISecurity_ChangeCHAPSecret-DFProperties-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSISecurity_ChangeCHAPSecret |
| Friendly Name | Do not allow changes to initiator CHAP secret |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Security |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | ChangeCHAPSecret |
| ADMX File Name | iSCSI.admx |
<!-- iSCSISecurity_ChangeCHAPSecret-AdmxBacked-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSISecurity_ChangeCHAPSecret-Examples-End -->
<!-- iSCSISecurity_ChangeCHAPSecret-End -->
<!-- iSCSISecurity_RequireIPSec-Begin -->
## iSCSISecurity_RequireIPSec
<!-- iSCSISecurity_RequireIPSec-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSISecurity_RequireIPSec-Applicability-End -->
<!-- iSCSISecurity_RequireIPSec-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireIPSec
```
<!-- iSCSISecurity_RequireIPSec-OmaUri-End -->
<!-- iSCSISecurity_RequireIPSec-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established.
<!-- iSCSISecurity_RequireIPSec-Description-End -->
<!-- iSCSISecurity_RequireIPSec-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSISecurity_RequireIPSec-Editable-End -->
<!-- iSCSISecurity_RequireIPSec-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSISecurity_RequireIPSec-DFProperties-End -->
<!-- iSCSISecurity_RequireIPSec-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSISecurity_RequireIPSec |
| Friendly Name | Do not allow connections without IPSec |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Security |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | RequireIPSec |
| ADMX File Name | iSCSI.admx |
<!-- iSCSISecurity_RequireIPSec-AdmxBacked-End -->
<!-- iSCSISecurity_RequireIPSec-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSISecurity_RequireIPSec-Examples-End -->
<!-- iSCSISecurity_RequireIPSec-End -->
<!-- iSCSISecurity_RequireMutualCHAP-Begin -->
## iSCSISecurity_RequireMutualCHAP
<!-- iSCSISecurity_RequireMutualCHAP-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSISecurity_RequireMutualCHAP-Applicability-End -->
<!-- iSCSISecurity_RequireMutualCHAP-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireMutualCHAP
```
<!-- iSCSISecurity_RequireMutualCHAP-OmaUri-End -->
<!-- iSCSISecurity_RequireMutualCHAP-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.
<!-- iSCSISecurity_RequireMutualCHAP-Description-End -->
<!-- iSCSISecurity_RequireMutualCHAP-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSISecurity_RequireMutualCHAP-Editable-End -->
<!-- iSCSISecurity_RequireMutualCHAP-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSISecurity_RequireMutualCHAP-DFProperties-End -->
<!-- iSCSISecurity_RequireMutualCHAP-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSISecurity_RequireMutualCHAP |
| Friendly Name | Do not allow sessions without mutual CHAP |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Security |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | RequireMutualCHAP |
| ADMX File Name | iSCSI.admx |
<!-- iSCSISecurity_RequireMutualCHAP-AdmxBacked-End -->
<!-- iSCSISecurity_RequireMutualCHAP-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSISecurity_RequireMutualCHAP-Examples-End -->
<!-- iSCSISecurity_RequireMutualCHAP-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-Begin -->
## iSCSISecurity_RequireOneWayCHAP
<!-- iSCSISecurity_RequireOneWayCHAP-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- iSCSISecurity_RequireOneWayCHAP-Applicability-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireOneWayCHAP
```
<!-- iSCSISecurity_RequireOneWayCHAP-OmaUri-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-Description-Begin -->
<!-- Description-Source-ADMX -->
If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established.
**Note** that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one.
<!-- iSCSISecurity_RequireOneWayCHAP-Description-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- iSCSISecurity_RequireOneWayCHAP-Editable-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- iSCSISecurity_RequireOneWayCHAP-DFProperties-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | iSCSISecurity_RequireOneWayCHAP |
| Friendly Name | Do not allow sessions without one way CHAP |
| Location | Computer Configuration |
| Path | System > iSCSI > iSCSI Security |
| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI |
| Registry Value Name | RequireOneWayCHAP |
| ADMX File Name | iSCSI.admx |
<!-- iSCSISecurity_RequireOneWayCHAP-AdmxBacked-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- iSCSISecurity_RequireOneWayCHAP-Examples-End -->
<!-- iSCSISecurity_RequireOneWayCHAP-End -->
<!-- ADMX_iSCSI-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_iSCSI-CspMoreInfo-End -->
<!-- ADMX_iSCSI-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

579
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -1,206 +1,258 @@
---
title: Policy CSP - ADMX_kdc
description: Learn about the Policy CSP - ADMX_kdc.
title: ADMX_kdc Policy CSP
description: Learn more about the ADMX_kdc Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/03/2023
ms.localizationpriority: medium
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 08/13/2020
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_kdc-Begin -->
# Policy CSP - ADMX_kdc
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!-- ADMX_kdc-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_kdc-Editable-End -->
<!--Policies-->
## ADMX_kdc policies
<!-- CbacAndArmor-Begin -->
## CbacAndArmor
<dl>
<dd>
<a href="#admx-kdc-cbacandarmor">ADMX_kdc/CbacAndArmor</a>
</dd>
<dd>
<a href="#admx-kdc-forestsearch">ADMX_kdc/ForestSearch</a>
</dd>
<dd>
<a href="#admx-kdc-pkinitfreshness">ADMX_kdc/PKINITFreshness</a>
</dd>
<dd>
<a href="#admx-kdc-requestcompoundid">ADMX_kdc/RequestCompoundId</a>
</dd>
<dd>
<a href="#admx-kdc-ticketsizethreshold">ADMX_kdc/TicketSizeThreshold</a>
</dd>
<dd>
<a href="#admx-kdc-emitlili">ADMX_kdc/emitlili</a>
</dd>
</dl>
<!-- CbacAndArmor-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- CbacAndArmor-Applicability-End -->
<!-- CbacAndArmor-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/CbacAndArmor
```
<!-- CbacAndArmor-OmaUri-End -->
<hr/>
<!--Policy-->
<a href="" id="admx-kdc-cbacandarmor"></a>**ADMX_kdc/CbacAndArmor**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- CbacAndArmor-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.
If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
If you disable or don't configure this policy setting, the domain controller doesn't support claims, compound authentication or armoring.
If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring.
If you configure the "Not supported" option, the domain controller doesn't support claims, compound authentication or armoring, which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems.
If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems.
> [!NOTE]
> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting isn't enabled, Kerberos authentication messages won't use these features.
**Note**: For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features.
If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring.
**Domain functional level requirements**
For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier, then domain controllers behave as if the "Supported" option is selected.
Domain functional level requirements
For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected.
When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and:
- If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST).
- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.
> [!WARNING]
> When "Fail unarmored authentication requests" is set, then client computers which don't support Kerberos armoring will fail to authenticate to the domain controller.
**Warning**: When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller.
To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled).
Impact on domain controller performance when this policy setting is enabled:
- Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
<!-- CbacAndArmor-Description-End -->
- Secure Kerberos domain capability discovery is required, resulting in more message exchanges.
- Claims and compound authentication for Dynamic Access Control increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which result in increased processing time, but doesn't change the service ticket size.
<!-- CbacAndArmor-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CbacAndArmor-Editable-End -->
<!--/Description-->
<!-- CbacAndArmor-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- CbacAndArmor-DFProperties-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP name: *CbacAndArmor*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
<!-- CbacAndArmor-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
**ADMX mapping**:
<!--Policy-->
<a href="" id="admx-kdc-forestsearch"></a>**ADMX_kdc/ForestSearch**
| Name | Value |
|:--|:--|
| Name | CbacAndArmor |
| Friendly Name | KDC support for claims, compound authentication and Kerberos armoring |
| Location | Computer Configuration |
| Path | System > KDC |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters |
| Registry Value Name | EnableCbacAndArmor |
| ADMX File Name | kdc.admx |
<!-- CbacAndArmor-AdmxBacked-End -->
<!--SupportedSKUs-->
<!-- CbacAndArmor-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CbacAndArmor-Examples-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- CbacAndArmor-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- emitlili-Begin -->
## emitlili
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- emitlili-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- emitlili-Applicability-End -->
> [!div class = "checklist"]
> * Device
<!-- emitlili-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/emitlili
```
<!-- emitlili-OmaUri-End -->
<hr/>
<!-- emitlili-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting controls whether the domain controller provides information about previous logons to client computers.
<!--/Scope-->
<!--Description-->
If you enable this policy setting, the domain controller provides the information message about previous logons.
For Windows Logon to leverage this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled.
If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled.
**Note**: Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything.
<!-- emitlili-Description-End -->
<!-- emitlili-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- emitlili-Editable-End -->
<!-- emitlili-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- emitlili-DFProperties-End -->
<!-- emitlili-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | emitlili |
| Friendly Name | Provide information about previous logons to client computers |
| Location | Computer Configuration |
| Path | System > KDC |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters |
| Registry Value Name | EmitLILI |
| ADMX File Name | kdc.admx |
<!-- emitlili-AdmxBacked-End -->
<!-- emitlili-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- emitlili-Examples-End -->
<!-- emitlili-End -->
<!-- ForestSearch-Begin -->
## ForestSearch
<!-- ForestSearch-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- ForestSearch-Applicability-End -->
<!-- ForestSearch-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/ForestSearch
```
<!-- ForestSearch-OmaUri-End -->
<!-- ForestSearch-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the KDC will search the forests in this list if it's unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
If you disable or don't configure this policy setting, the KDC won't search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name isn't found, NTLM authentication might be used.
If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.
<!-- ForestSearch-Description-End -->
<!--/Description-->
<!-- ForestSearch-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForestSearch-Editable-End -->
<!-- ForestSearch-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ForestSearch-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- ForestSearch-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="admx-kdc-pkinitfreshness"></a>**ADMX_kdc/PKINITFreshness**
**ADMX mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | ForestSearch |
| Friendly Name | Use forest search order |
| Location | Computer Configuration |
| Path | System > KDC |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters |
| Registry Value Name | UseForestSearch |
| ADMX File Name | kdc.admx |
<!-- ForestSearch-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- ForestSearch-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForestSearch-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- ForestSearch-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- PKINITFreshness-Begin -->
## PKINITFreshness
> [!div class = "checklist"]
> * Device
<!-- PKINITFreshness-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- PKINITFreshness-Applicability-End -->
<hr/>
<!-- PKINITFreshness-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/PKINITFreshness
```
<!-- PKINITFreshness-OmaUri-End -->
<!--/Scope-->
<!--Description-->
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controllers domain isn't at Windows Server 2016 DFL or higher, this policy won't be applied.
<!-- PKINITFreshness-Description-Begin -->
<!-- Description-Source-ADMX -->
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controllers domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.
@ -208,177 +260,174 @@ If you enable this policy setting, the following options are supported:
Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.
Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients that don't support the PKInit Freshness Extension will always fail when using public key credentials.
Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials.
If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID.
<!-- PKINITFreshness-Description-End -->
<!--/Description-->
<!-- PKINITFreshness-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- PKINITFreshness-Editable-End -->
<!-- PKINITFreshness-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *KDC support for PKInit Freshness Extension*
- GP name: *PKINITFreshness*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- PKINITFreshness-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- PKINITFreshness-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="admx-kdc-requestcompoundid"></a>**ADMX_kdc/RequestCompoundId**
**ADMX mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | PKINITFreshness |
| Friendly Name | KDC support for PKInit Freshness Extension |
| Location | Computer Configuration |
| Path | System > KDC |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters |
| ADMX File Name | kdc.admx |
<!-- PKINITFreshness-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- PKINITFreshness-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- PKINITFreshness-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- PKINITFreshness-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- RequestCompoundId-Begin -->
## RequestCompoundId
> [!div class = "checklist"]
> * Device
<!-- RequestCompoundId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- RequestCompoundId-Applicability-End -->
<hr/>
<!-- RequestCompoundId-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/RequestCompoundId
```
<!-- RequestCompoundId-OmaUri-End -->
<!--/Scope-->
<!--Description-->
<!-- RequestCompoundId-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure a domain controller to request compound authentication.
> [!NOTE]
> For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled.
**Note**: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled.
If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
If you disable or don't configure this policy setting, domain controllers will return service tickets that contain compound authentication anytime the client sends a compound authentication request regardless of the account configuration.
If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration.
<!-- RequestCompoundId-Description-End -->
<!--/Description-->
<!-- RequestCompoundId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequestCompoundId-Editable-End -->
<!-- RequestCompoundId-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Request compound authentication*
- GP name: *RequestCompoundId*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- RequestCompoundId-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- RequestCompoundId-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="admx-kdc-ticketsizethreshold"></a>**ADMX_kdc/TicketSizeThreshold**
**ADMX mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | RequestCompoundId |
| Friendly Name | Request compound authentication |
| Location | Computer Configuration |
| Path | System > KDC |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters |
| Registry Value Name | RequestCompoundId |
| ADMX File Name | kdc.admx |
<!-- RequestCompoundId-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- RequestCompoundId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequestCompoundId-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- RequestCompoundId-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- TicketSizeThreshold-Begin -->
## TicketSizeThreshold
> [!div class = "checklist"]
> * Device
<!-- TicketSizeThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- TicketSizeThreshold-Applicability-End -->
<hr/>
<!-- TicketSizeThreshold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/TicketSizeThreshold
```
<!-- TicketSizeThreshold-OmaUri-End -->
<!--/Scope-->
<!--Description-->
<!-- TicketSizeThreshold-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
If you enable this policy setting, you can set the threshold limit for Kerberos ticket, which triggers the warning events. If set too high, then authentication failures might be occurring even though warning events aren't being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you aren't configuring using Group Policy.
If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy.
If you disable or don't configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
<!-- TicketSizeThreshold-Description-End -->
<!--/Description-->
<!-- TicketSizeThreshold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TicketSizeThreshold-Editable-End -->
<!-- TicketSizeThreshold-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Warning for large Kerberos tickets*
- GP name: *TicketSizeThreshold*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TicketSizeThreshold-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- TicketSizeThreshold-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="admx-kdc-emitlili"></a>**ADMX_kdc/emitlili**
**ADMX mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | TicketSizeThreshold |
| Friendly Name | Warning for large Kerberos tickets |
| Location | Computer Configuration |
| Path | System > KDC |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters |
| Registry Value Name | EnableTicketSizeThreshold |
| ADMX File Name | kdc.admx |
<!-- TicketSizeThreshold-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- TicketSizeThreshold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TicketSizeThreshold-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- TicketSizeThreshold-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- ADMX_kdc-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_kdc-CspMoreInfo-End -->
> [!div class = "checklist"]
> * Device
<!-- ADMX_kdc-End -->
<hr/>
## Related articles
<!--/Scope-->
<!--Description-->
This policy setting controls whether the domain controller provides information about previous logons to client computers.
If you enable this policy setting, the domain controller provides the information message about previous logons.
For Windows Logon to use this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled.
If you disable or don't configure this policy setting, the domain controller doesn't provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled.
> [!NOTE]
> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting doesn't affect anything.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Provide information about previous logons to client computers*
- GP name: *emitlili*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
[Policy configuration service provider](policy-configuration-service-provider.md)