deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-admx-sam.md
Vinay Pamnani e25ccc0fb0 Update 2009 to 20H2
2024-08-06 13:15:20 -06:00

4.4 KiB
Raw Blame History

title, description, ms.date
title description ms.date
ADMX_sam Policy CSP Learn more about the ADMX_sam Area in Policy CSP. 08/06/2024

Policy CSP - ADMX_sam

[!INCLUDE ADMX-backed CSP tip]

SamNGCKeyROCAValidation

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
Windows 11, version 21H2 [10.0.22000] and later		 
./Device/Vendor/MSFT/Policy/Config/ADMX_sam/SamNGCKeyROCAValidation

This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.

For more information on the ROCA vulnerability, please see:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361

https://en.wikipedia.org/wiki/ROCA_vulnerability

If you enable this policy setting the following options are supported:

Ignore: during authentication the domain controller won't probe any WHfB keys for the ROCA vulnerability.

Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).

Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).

This setting only takes effect on domain controllers.

If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit.

A reboot isn't required for changes to this setting to take effect.

Note to avoid unexpected disruptions this setting shouldn't be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.

More information is available at< https://go.microsoft.com/fwlink/?linkid=2116430>.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name SamNGCKeyROCAValidation
Friendly Name Configure validation of ROCA-vulnerable WHfB keys during authentication
Location Computer Configuration
Path System > Security Account Manager
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM
ADMX File Name sam.admx

Related articles

Policy configuration service provider