gp-pack.com-BSI-BPOL_Windows_10_Sicherheitsmodul_Bundespolizei |
Policy | Setting |
---|---|
Enforce password history | 24 passwords remembered |
Maximum password age | 42 days |
Minimum password age | 1 days |
Minimum password length | 14 characters |
Password must meet complexity requirements | Enabled |
Store passwords using reversible encryption | Disabled |
Policy | Setting |
---|---|
Account lockout duration | 15 minutes |
Account lockout threshold | 10 invalid logon attempts |
Reset account lockout counter after | 15 minutes |
Policy | Setting |
---|---|
Access Credential Manager as a trusted caller | |
Access this computer from the network | VORDEFINIERT\Administratoren |
Act as part of the operating system | |
Adjust memory quotas for a process | NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren |
Allow log on locally | VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer |
Allow log on through Terminal Services | VORDEFINIERT\Remotedesktopbenutzer |
Back up files and directories | VORDEFINIERT\Administratoren |
Bypass traverse checking | Jeder, NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer, VORDEFINIERT\Sicherungs-Operatoren |
Change the system time | NT-AUTORITÄT\Lokaler Dienst, VORDEFINIERT\Administratoren |
Change the time zone | VORDEFINIERT\Administratoren, NT-AUTORITÄT\Lokaler Dienst |
Create a pagefile | VORDEFINIERT\Administratoren |
Create a token object | |
Create global objects | NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren, NT-AUTORITÄT\DIENST |
Create permanent shared objects | |
Create symbolic links | VORDEFINIERT\Administratoren |
Debug programs | VORDEFINIERT\Administratoren |
Deny access to this computer from the network | NT-AUTORITÄT\Lokales Konto |
Deny log on as a batch job | Gast |
Deny log on as a service | Gast |
Deny log on locally | Gast |
Deny log on through Terminal Services | Gast, NT-AUTORITÄT\Lokales Konto |
Enable computer and user accounts to be trusted for delegation | |
Force shutdown from a remote system | VORDEFINIERT\Administratoren |
Generate security audits | NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst |
Impersonate a client after authentication | NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren, NT-AUTORITÄT\DIENST |
Increase a process working set | VORDEFINIERT\Benutzer |
Increase scheduling priority | VORDEFINIERT\Administratoren |
Load and unload device drivers | VORDEFINIERT\Administratoren |
Lock pages in memory | |
Log on as a batch job | VORDEFINIERT\Administratoren |
Log on as a service | No one (can cause serious problems!) |
Manage auditing and security log | VORDEFINIERT\Administratoren |
Modify an object label | |
Modify firmware environment values | VORDEFINIERT\Administratoren |
Perform volume maintenance tasks | VORDEFINIERT\Administratoren |
Profile single process | VORDEFINIERT\Administratoren |
Profile system performance | VORDEFINIERT\Administratoren, NT SERVICE\WdiServiceHost |
Remove computer from docking station | VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer |
Replace a process level token | NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst |
Restore files and directories | VORDEFINIERT\Administratoren |
Shut down the system | VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer |
Take ownership of files or other objects | VORDEFINIERT\Administratoren |
Policy | Setting |
---|---|
Accounts: Administrator account status | Disabled |
Accounts: Guest account status | Disabled |
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Accounts: Rename administrator account | "SetToNotEqualAdmin" |
Accounts: Rename guest account | "SetToNotEqualGuest" |
Policy | Setting |
---|---|
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 42 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Policy | Setting |
---|---|
Interactive logon: Do not display last user name | Enabled |
Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 0 logons |
Interactive logon: Prompt user to change password before expiration | 10 days |
Interactive logon: Smart card removal behavior | Lock Workstation |
Policy | Setting |
---|---|
Microsoft network client: Digitally sign communications (always) | Enabled |
Microsoft network client: Digitally sign communications (if server agrees) | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Policy | Setting |
---|---|
Microsoft network server: Amount of idle time required before suspending session | 15 minutes |
Microsoft network server: Digitally sign communications (always) | Enabled |
Microsoft network server: Digitally sign communications (if client agrees) | Enabled |
Microsoft network server: Disconnect clients when logon hours expire | Enabled |
Policy | Setting |
---|---|
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Do not allow storage of passwords and credentials for network authentication | Enabled |
Network access: Let Everyone permissions apply to anonymous users | Disabled |
Network access: Named Pipes that can be accessed anonymously | |
Network access: Remotely accessible registry paths | System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion |
Network access: Remotely accessible registry paths and sub-paths | System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Network access: Shares that can be accessed anonymously | |
Network access: Sharing and security model for local accounts | Classic - local users authenticate as themselves |
Policy | Setting | ||||
---|---|---|---|---|---|
Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
Network security: Force logoff when logon hours expire | Enabled | ||||
Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
Network security: LDAP client signing requirements | Negotiate signing | ||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
|
Policy | Setting |
---|---|
System cryptography: Force strong key protection for user keys stored on the computer | User must enter a password each time they use a key |
Policy | Setting |
---|---|
System objects: Require case insensitivity for non-Windows subsystems | Enabled |
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
Policy | Setting |
---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
User Account Control: Detect application installations and prompt for elevation | Enabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Policy | Setting | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Accounts: Block Microsoft accounts | Users can't add or log on with Microsoft accounts | ||||||||||||
Interactive logon: Machine account lockout threshold | 4 invalid logon attempts | ||||||||||||
Interactive logon: Machine inactivity limit | 900 seconds | ||||||||||||
Microsoft network server: Server SPN target name validation level | Required from client | ||||||||||||
Network security: Allow Local System to use computer identity for NTLM | Enabled | ||||||||||||
Network security: Allow LocalSystem NULL session fallback | Disabled | ||||||||||||
Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | ||||||||||||
Network security: Configure encryption types allowed for Kerberos | Enabled | ||||||||||||
|
Policy | Setting |
---|---|
Audit Credential Validation | Success, Failure |
Policy | Setting |
---|---|
Audit Application Group Management | Success, Failure |
Audit Computer Account Management | Success, Failure |
Audit Other Account Management Events | Success, Failure |
Audit Security Group Management | Success, Failure |
Audit User Account Management | Success, Failure |
Policy | Setting |
---|---|
Audit PNP Activity | Success |
Audit Process Creation | Success |
Policy | Setting |
---|---|
Audit Account Lockout | Success |
Audit Logoff | Success |
Audit Logon | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success, Failure |
Policy | Setting |
---|---|
Audit Removable Storage | Success, Failure |
Policy | Setting |
---|---|
Audit Audit Policy Change | Success, Failure |
Policy | Setting |
---|---|
Audit Sensitive Privilege Use | Success, Failure |
Policy | Setting |
---|---|
Audit IPsec Driver | Success, Failure |
Audit Other System Events | Success, Failure |
Audit Security State Change | Success, Failure |
Audit System Integrity | Success, Failure |
Policy | Setting | Comment |
---|---|---|
Prevent enabling lock screen camera | Enabled | |
Prevent enabling lock screen slide show | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow input personalization | Disabled |
Policy | Setting | Comment | ||||||
---|---|---|---|---|---|---|---|---|
Do not allow password expiration time longer than required by policy | Enabled | |||||||
Enable local admin password management | Enabled | |||||||
Password Settings | Enabled | |||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
IPv6 Configuration Policy | Enabled | 08202-0125: The recommended state for this setting is: DisabledComponents - 0xff (255) | ||
|
Policy | Setting | Comment |
---|---|---|
Enable insecure guest logons | Disabled |
Policy | Setting | Comment |
---|---|---|
Turn on Mapper I/O (LLTDIO) driver | Disabled | |
Turn on Responder (RSPNDR) driver | Disabled |
Policy | Setting | Comment |
---|---|---|
Turn off Microsoft Peer-to-Peer Networking Services | Enabled |
Policy | Setting | Comment |
---|---|---|
Prohibit installation and configuration of Network Bridge on your DNS domain network | Enabled | |
Require domain users to elevate when setting a network's location | Enabled |
Policy | Setting | Comment |
---|---|---|
Configuration of wireless settings using Windows Connect Now | Disabled | |
Prohibit access of the Windows Connect Now wizards | Enabled |
Policy | Setting | Comment |
---|---|---|
Minimize the number of simultaneous connections to the Internet or a Windows Domain | Enabled | |
Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled |
Policy | Setting | Comment |
---|---|---|
Apply UAC restrictions to local accounts on network logons | Enabled | |
WDigest Authentication (disabling may require KB2871997) | Enabled |
Policy | Setting | Comment |
---|---|---|
Disable Wi-Fi Sense | Enabled |
Policy | Setting | Comment |
---|---|---|
Include command line in process creation events | Disabled |
Policy | Setting | Comment | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Turn On Virtualization Based Security | Enabled | |||||||||
|
Policy | Setting | Comment | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Prevent installation of devices that match any of these device IDs | Enabled | |||||||||||||
| ||||||||||||||
Policy | Setting | Comment | ||||||||||||
Prevent installation of devices using drivers that match these device setup classes | Enabled | |||||||||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Boot-Start Driver Initialization Policy | Enabled | |||
|
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Configure registry policy processing | Enabled | a) Disable CSE Regsitry run during session (manually gpupdate aswell!) b) as long there are no Admins, there can not be changes. | ||||
| ||||||
Policy | Setting | Comment | ||||
Turn off background refresh of Group Policy | Disabled | 08202-0145 disables Background processing for CSE Registry(!) |
Policy | Setting | Comment |
---|---|---|
Turn off access to the Store | Enabled | |
Turn off downloading of print drivers over HTTP | Enabled | |
Turn off handwriting personalization data sharing | Enabled | |
Turn off handwriting recognition error reporting | Enabled | |
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com | Enabled | |
Turn off Internet download for Web publishing and online ordering wizards | Enabled | |
Turn off printing over HTTP | Enabled | |
Turn off Registration if URL connection is referring to Microsoft.com | Enabled | |
Turn off Search Companion content file updates | Enabled | |
Turn off the "Order Prints" picture task | Enabled | |
Turn off the "Publish to Web" task for files and folders | Enabled | |
Turn off the Windows Messenger Customer Experience Improvement Program | Enabled | 08202-0116 (Messenger does not exist in Windows 10) |
Turn off Windows Customer Experience Improvement Program | Enabled | |
Turn off Windows Error Reporting | Enabled |
Policy | Setting | Comment |
---|---|---|
Disallow copying of user input methods to the system account for sign-in | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not display network selection UI | Enabled | |
Do not enumerate connected users on domain-joined computers | Enabled | |
Enumerate local users on domain-joined computers | Disabled | |
Turn off app notifications on the lock screen | Enabled | |
Turn off picture password sign-in | Enabled | |
Turn on convenience PIN sign-in | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Untrusted Font Blocking | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow standby states (S1-S3) when sleeping (on battery) | Disabled | |
Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | |
Require a password when a computer wakes (on battery) | Enabled | |
Require a password when a computer wakes (plugged in) | Enabled |
Policy | Setting | Comment |
---|---|---|
Configure Offer Remote Assistance | Disabled | |
Configure Solicited Remote Assistance | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Enable RPC Endpoint Mapper Client Authentication | Enabled | |||
Restrict Unauthenticated RPC clients | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider | Disabled |
Policy | Setting | Comment |
---|---|---|
Enable/Disable PerfTrack | Disabled |
Policy | Setting | Comment |
---|---|---|
Enable Windows NTP Client | Enabled | |
Enable Windows NTP Server | Disabled |
Policy | Setting | Comment |
---|---|---|
Allow a Windows app to share application data between users | Disabled |
Policy | Setting | Comment | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Let Windows apps access account information | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access call history | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access contacts | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access email | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access location | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access messaging | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access motion | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access notifications | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access the calendar | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access the camera | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access the microphone | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps access trusted devices | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps control radios | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Let Windows apps make phone calls | Enabled | |||||||||||||||
|
Policy | Setting | Comment |
---|---|---|
Allow Microsoft accounts to be optional | Enabled | |
Block launching Windows Store apps with Windows Runtime API access from hosted content. | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Disallow Autoplay for non-volume devices | Enabled | |||
Set the default behavior for AutoRun | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure enhanced anti-spoofing | Enabled |
Policy | Setting | Comment | ||||||
---|---|---|---|---|---|---|---|---|
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) | Enabled | |||||||
|
Policy | Setting | Comment | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows | Disabled | |||||||||||||||||
Choose how BitLocker-protected fixed drives can be recovered | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure use of hardware-based encryption for fixed data drives | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure use of passwords for fixed data drives | Disabled | |||||||||||||||||
Configure use of smart cards on fixed data drives | Enabled | |||||||||||||||||
|
Policy | Setting | Comment | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allow enhanced PINs for startup | Enabled | |||||||||||||||||
Allow Secure Boot for integrity validation | Enabled | |||||||||||||||||
Choose how BitLocker-protected operating system drives can be recovered | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure minimum PIN length for startup | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure use of hardware-based encryption for operating system drives | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure use of passwords for operating system drives | Disabled | |||||||||||||||||
Require additional authentication at startup | Enabled | |||||||||||||||||
|
Policy | Setting | Comment | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allow access to BitLocker-protected removable data drives from earlier versions of Windows | Disabled | |||||||||||||||||
Choose how BitLocker-protected removable drives can be recovered | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure use of hardware-based encryption for removable data drives | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Configure use of passwords for removable data drives | Disabled | |||||||||||||||||
Configure use of smart cards on removable data drives | Enabled | |||||||||||||||||
| ||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||
Deny write access to removable drives not protected by BitLocker | Enabled | |||||||||||||||||
|
Policy | Setting | Comment |
---|---|---|
Turn off Microsoft consumer experiences | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not display the password reveal button | Enabled | |
Enumerate administrator accounts on elevation | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Telemetry | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Disable pre-release features or settings | Disabled | |||
Do not show feedback notifications | Enabled | |||
Toggle user control over Insider builds | Disabled |
Policy | Setting | Comment |
---|---|---|
Download Mode | Disabled |
Policy | Setting | Comment | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Default Action and Mitigation Settings | Enabled | |||||||||
| ||||||||||
Policy | Setting | Comment | ||||||||
System ASLR | Enabled | |||||||||
| ||||||||||
Policy | Setting | Comment | ||||||||
System DEP | Enabled | |||||||||
| ||||||||||
Policy | Setting | Comment | ||||||||
System SEHOP | Enabled | |||||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Control Event Log behavior when the log file reaches its maximum size | Disabled | |||
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Control Event Log behavior when the log file reaches its maximum size | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Control Event Log behavior when the log file reaches its maximum size | Disabled | |||
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Control Event Log behavior when the log file reaches its maximum size | Disabled | |||
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off Data Execution Prevention for Explorer | Disabled | |
Turn off heap termination on corruption | Enabled | |
Turn off shell protocol protected mode | Disabled |
Policy | Setting | Comment |
---|---|---|
Prevent the computer from joining a homegroup | Enabled | Homegroup Feature removed in 1803 |
Policy | Setting | Comment | ||
---|---|---|---|---|
Prevent bypassing SmartScreen Filter warnings | Enabled | |||
Prevent managing SmartScreen Filter | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn on SmartScreen Filter scan | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off location | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow InPrivate browsing | Disabled | |||
Configure cookies | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Configure Password Manager | Disabled | |||
Configure Pop-up Blocker | Enabled | |||
Configure search suggestions in Address bar | Disabled | |||
Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | Prior 1607, name was: Don't allow SmartScreen Filter warning overrides for unverified files | ||
Prevent using Localhost IP address for WebRTC | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent the usage of OneDrive for file storage | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow users to connect remotely by using Remote Desktop Services | Disabled |
Policy | Setting | Comment |
---|---|---|
Do not allow COM port redirection | Enabled | |
Do not allow drive redirection | Enabled | |
Do not allow LPT port redirection | Enabled | |
Do not allow supported Plug and Play device redirection | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Always prompt for password upon connection | Enabled | |||||
Require secure RPC communication | Enabled | |||||
Set client connection encryption level | Enabled | |||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Set time limit for active but idle Remote Desktop Services sessions | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Set time limit for disconnected sessions | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Do not delete temp folders upon exit | Enabled | |
Do not use temporary folders per session | Disabled |
Policy | Setting | Comment |
---|---|---|
Prevent downloading of enclosures | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Cortana | Disabled | |
Allow indexing of encrypted files | Disabled | |
Allow search and Cortana to use location | Disabled |
Policy | Setting | Comment |
---|---|---|
Turn off KMS Client Online AVS Validation | Enabled |
Policy | Setting | Comment |
---|---|---|
Disable all apps from Windows Store | Enabled | |
Turn off Automatic Download and Install of updates | Enabled | |
Turn off the offer to update to the latest version of Windows | Enabled | |
Turn off the Store application | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Join Microsoft MAPS | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure Windows Defender SmartScreen | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure Windows Defender SmartScreen | Enabled |
Policy | Setting | Comment |
---|---|---|
Disable Windows Error Reporting | Enabled |
Policy | Setting | Comment |
---|---|---|
Enables or disables Windows Game Recording and Broadcasting | Disabled |
Policy | Setting | Comment |
---|---|---|
Allow user control over installs | Disabled | |
Always install with elevated privileges | Disabled | |
Prevent Internet Explorer security prompt for Windows Installer scripts | Disabled |
Policy | Setting | Comment |
---|---|---|
Sign-in last interactive user automatically after a system-initiated restart | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn on PowerShell Script Block Logging | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn on PowerShell Transcription | Disabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow Digest authentication | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow WinRM from storing RunAs credentials | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Remote Shell Access | Disabled |
Policy | Setting | Comment | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configure Automatic Updates | Enabled | |||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||||||||||||
No auto-restart with logged on users for scheduled automatic updates installations | Disabled |
Policy | Setting | Comment | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Select when Preview Builds and Feature Updates are received | Enabled | 08202-0039: Is ’Defer Upgrades and Updates’ set to ’Enabled: 1 months, 0 weeks | ||||||||
|