5.8 KiB
title, description, ms.author, ms.localizationpriority, ms.topic, ms.prod, ms.technology, author, ms.date, ms.reviewer, manager
| title | description | ms.author | ms.localizationpriority | ms.topic | ms.prod | ms.technology | author | ms.date | ms.reviewer | manager |
|---|---|---|---|---|---|---|---|---|---|---|
| Policy CSP - ADMX_CredUI | Policy CSP - ADMX_CredUI | dansimp | medium | article | w10 | windows | manikadhiman | 11/09/2020 | dansimp |
Policy CSP - ADMX_CredUI
Warning
Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
ADMX_CredUI policies
ADMX_CredUI/EnableSecureCredentialPrompting
| Windows Edition | Supported? |
|---|---|
| Home |  |
| Pro | |
| Business | |
| Enterprise |  |
| Education | |
[!div class = "checklist"]
- Device
Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials.
Note
This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism.
If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials.
Tip
This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.
You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
ADMX Info:
- GP English name: Require trusted path for credential entry
- GP name: EnableSecureCredentialPrompting
- GP path: Windows Components\Credential User Interface
- GP ADMX file name: CredUI.admx
ADMX_CredUI/NoLocalPasswordResetQuestions
| Windows Edition | Supported? |
|---|---|
| Home | |
| Pro | |
| Business | |
| Enterprise | |
| Education | |
[!div class = "checklist"]
- Device
Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords.
Tip
This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.
You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
ADMX Info:
- GP English name: Prevent the use of security questions for local accounts
- GP name: NoLocalPasswordResetQuestions
- GP path: Windows Components\Credential User Interface
- GP ADMX file name: CredUI.admx
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.