Scribd
Upload
294 views79 pages

MS Security Baseline Windows 11 v24H2

This workbook provides a comprehensive list of Group Policy settings for Windows 11 version 24H2, including Microsoft-recommended configurations for enterprise systems. The settings are based on Build 26100.1742 and were last modified on September 30, 2024. It includes security policies, user rights assignments, and notes on settings that should be removed for non-domain joined systems.

Uploaded by

oscararl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
294 views79 pages

MS Security Baseline Windows 11 v24H2

This workbook provides a comprehensive list of Group Policy settings for Windows 11 version 24H2, including Microsoft-recommended configurations for enterprise systems. The settings are based on Build 26100.1742 and were last modified on September 30, 2024. It includes security policies, user rights assignments, and notes on settings that should be removed for non-domain joined systems.

Uploaded by

oscararl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 79

General Information

This workbook displays all available Group Policy settings for Windows 11 version 24H2 and the
corresponding Microsoft-recommended configuration of those settings for well-managed enterpris
systems.

Settings contained are as of Build 26100.1742

Last modified on September 30, 2024

Legend:
Setting that should be removed for non-Domain joined systems

Note:
This Excel spreadsheet lists all security settings and group policies for Windows 11 version 24H2,
along with the Microsoft-recommended configuration of those settings for well-managed enterpri
systems. All the settings are present in the Windows group policy and security template editors,
except for MS Security Guide and MSS (Legacy) which can be implemented using a custom ADMX
that is included with this security guidance.
General Information

displays all available Group Policy settings for Windows 11 version 24H2 and the
Microsoft-recommended configuration of those settings for well-managed enterprise

Settings contained are as of Build 26100.1742

Last modified on September 30, 2024

Legend:
g that should be removed for non-Domain joined systems

Note:
preadsheet lists all security settings and group policies for Windows 11 version 24H2,
e Microsoft-recommended configuration of those settings for well-managed enterprise
l the settings are present in the Windows group policy and security template editors,
MS Security Guide and MSS (Legacy) which can be implemented using a custom ADMX
that is included with this security guidance.
Policy Path
Account Lockout
Account Lockout
Account Lockout
Account Lockout
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Kerberos Policy
Kerberos Policy
Kerberos Policy
Kerberos Policy
Kerberos Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options

Security Options
Security Options

Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options

Security Options

Security Options

Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
User Rights Assignments
Policy Setting Name
Account lockout duration
Account lockout threshold
Allow Administrator account lockout
Reset account lockout counter after
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Maximum application log size
Maximum security log size
Maximum system log size
Prevent local guests group from accessing application log
Prevent local guests group from accessing security log
Prevent local guests group from accessing system log
Retain application log
Retain security log
Retain system log
Retention method for application log
Retention method for security log
Retention method for system log
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Minimum password length audit
Password must meet complexity requirements
Relax minimum password length limits
Store passwords using reversible encryption
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: Allow vulnerable Netlogon secure channel connections
Domain controller: LDAP server channel binding token requirements
Domain controller: LDAP server signing requirements

Domain controller: LDAP server signing requirements Enforcement


Domain controller: Refuse machine account password changes

Domain controller: Refuse setting default machine account password


Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require Windows Hello for Business or smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use online identities.
Network security: Configure encryption types allowed for Kerberos
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client encryption requirements
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection

User Account Control: Behavior of the elevation prompt for standard users

User Account Control: Configure type of Admin Approval Mode

User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Obtain an impersonation token for another user in the same session
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Windows 11
10
10
Enabled
10

24

14

Enabled

Disabled

Enabled
Enabled

Enabled
Enabled
Enabled

Enabled
900

Lock Workstation
Enabled

Disabled

Enabled

Disabled
Enabled
Enabled

Enabled
O:BAG:BAD:(A;;RC;;;BA)

Disabled

Enabled

Send NTLMv2 response only. Refuse LM & NTLM


Negotiate signing
Require NTLMv2 session security and Require 128-
Require NTLMv2 session security and Require 128-

Enabled

Enabled

Prompt for consent on the secure desktop


Prompt for credentials on secure desktop

Automatically deny elevation requests

Admin approval mode with enhanced privilege pro

Enabled

Enabled
Enabled

Enabled
No One (Blank)
Administrators; Remote Desktop Users
No One (Blank)

Administrators; Users

Administrators

Administrators
No One (Blank)
Administrators; LOCAL SERVICE; NETWORK SERVIC
No One (Blank)

Administrators
NT AUTHORITY\Local Account
NT AUTHORITY\Local Account
No One (blank)
Administrators

Administrators, SERVICE, Local Service, Network S

Administrators
No One (blank)

Administrators

Administrators

Administrators
Administrators

Administrators

Administrators
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Default: 0.
This security setting determines whether the builtin Administrator account is subject to account lockout policy.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.

Default: Success.
Default: Nodomain
Success on auditing.
controllers.
No auditing on member servers.
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up a
Success on domain controllers.
No auditing on member servers.

Default: Enabled
Default: Enabled for
for Windows
Windows XP,
XP, Disabled
Disabled for
for Windows
Windows 2000
2000
Default: Enabled for Windows XP, Disabled for Windows 2000

Default: None.
Default: None.
Default: Enabled.
Default: 600 minutes (10 hours).
Default: 10 hours.
Default: 7 days.
Default:
Note: By5default,
minutes.
member computers follow the configuration of their domain controllers.
To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were jus
Default: 42.
Note: By default, member computers follow the configuration of their domain controllers.
Note: By default,
For more member
information computers follow the configuration of their domain controllers.
see https://go.microsoft.com/fwlink/?LinkId=2097191.

Note: By default, member computers follow the configuration of their domain controllers.
For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.
Default: Disabled.
Default: Disabled.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts i
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
Default: Administrator.
Default:
This Disabled.
security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections

This policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.
Default: Disabled
When the Create Vulnerable Connections list (allow list) is configured:

- Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC.
- Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC wh
Domain controller: Allow server operators to schedule tasks
Warning! Enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to risk. This
This setting
security
RPC with does
Netlogon not
setting affectchannels,
secure Administrators.
determines if Server Operators
the account are allowed
should to submit
be removed from jobs by means
the Create of the AT
Vulnerable schedule facility.
Connections list. To better un
https://go.microsoft.com/fwlink/?linkid=2133485.
Note: This security setting only affects the AT schedule facility; it does not affect the Task Scheduler facility.
Default:
Default: This
This policy
policy is
is not
not defined, which
configured. No means thatorthe
machines system
trust treats
accounts areit explicitly
as disabled.
exempt from secure RPC with Netlogon secu

This policy is supported on at least Windows Server 2008 R2.

Notes: The When Supported option only protects those clients that do support Extended Protection for Authentication; clients

Domain controller: LDAP server Enforce signing requirements

This security setting determines whether the LDAP server enforces signing to be negotiated with LDAP clients.

This Policy will override the LDAP Server Signing Requirements Policy unless it is disabled.

Default: Not Configured which has the same effect as Enabled.

Enabled: LDAP signing will be enforced regardless of what is set in the LDAP signing policy.

Disabled: The setting from the LDAP Signing Policy will be used.

Domain controller: Refuse setting default machine account password


Interactive
This securitylogon: Dodetermines
setting not requirewhether
CTRL+ALT+DEL
domain controllers will refuse setting default machine account passwords upon crea
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.

If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+
This security setting should not be enabled. Computer account passwords are used to establish secure channel communication
This
If thissetting
policyshould not be
is disabled, used
any userinisanrequired
attempttotopress
support dual-boot scenarios
CTRL+ALT+DEL that use
before logging onthe same computer
to Windows (unlessaccount.
they are Ifusing
you wan
a sm

Default on domain-computers: Disabled.


Default on stand-alone computers: Enabled.
Interactive Logon: Display user information when session is locked
Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after cr
If this policy is enabled, the username will not be shown.

If this policy is disabled, the username will be shown.

Default: Disabled.
The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please
Default: not enforced.
Default: No message.
Default: No message.
Default: 25

On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.

Default: Disabled.
Default: Automatic.

All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affe

System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure t

Network access: Restrict clients allowed to make remote calls to SAM


This policy will have no impact on computers running Windows 2000.
When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in Windows Explorer to
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
The default is TRUE up to Windows Vista and FALSE in Windows 7.
This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to auth
This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Windows Server 2003: Send NTLM response only


Windows Vista and Windows Server 2008: Send NTLMv2 response only
Network security: LDAP client encryption requirements

This security setting determines the level of data encryption that is requested on behalf of clients issuing LDAP BIND requests,

None: The LDAP BIND request is issued with the options that are specified by the caller.
Negotiate encryption: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request
request is initiated with the options that are specified by the caller.
Require encryption: This is the same as Negotiate encryption. However, if the LDAP server's intermediate saslBindInProgress r

Caution

If you set the server to Require encryption, you must also set the client. Not setting the client results in a loss of connection wi

Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are s

Default: Negotiate encryption.

The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used b
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used b
Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/M
Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/M
Note: Block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Audit and block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Servic

Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptograph

Default: Disabled

If you plan to enable this setting, you should also review the effect of the "User Account Control: Behavior of the elevation pro
User Account Control: Behavior of the elevation prompt for administrators in Enhanced Privilege Protection Mode

This policy setting controls the behavior of the elevation prompt for administrators running in Enhanced Privilege Protection M

The options are:

• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the s

• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted on the secure desktop to en
protection.

ò Prompt for credentials: An operation that requires elevation of privilege will prompt the user to enter an administrative user

User Account Control: Configure type of Admin Approval Mode

This policy setting controls whether enhanced privilege protection is applied to admin approval mode elevations. If you chang

The options are:

• Admin Approval Mode is running in legacy mode (Default)

• Admin Approval Mode is running with enhanced privilege protection

ò Enabled: Application installation packages that require an elevation of privilege to install will be heuristically detected and tr
Note: Windows enforces a PKI signature check on any interactive application that requests execution with UIAccess integrity le

The optionsAdmin
ò Enabled: are: Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this settin

The options are:

ò Enabled:
This settingFacilitates
is used bythe runtimeManager
Credential redirection of application
during write failures
Backup/Restore. to defined
No accounts user
should locations
have for bothasthe
this privilege, it isfile system
only an
assigned
Backup Operators
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than usi
Users
Caution

Users.

Default on domain
This setting controllers:
does not Account
have any effect on Operators
Windows 2000 computers that have not been updated to Service Pack 2.
Caution

Default: Administrators, Users


For information about how to specify a paging file size for a given drive, see To change the size of the virtual memory paging fi
Caution
Assigning this user right can be a security risk. Assign this user right only to trusted users.
This user right determines which accounts can be used by processes to create a directory object using the object manager.
Note
This
This user right
setting canisbe
used internally
used by the operating
in conjunction system andsetting
a symlink filesystem is useful tocan
that kernel-mode components
be manipulated that
with the extend the
command lineobject
utility nam
to c
Caution
This security setting determines which users are prevented from accessing a computer over the network. This policy setting su
Default: None.
Default: None.
Default: None.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of worksta
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of worksta
Default: Local Service
Network
Service Service.

Note:
Warning: By default,
Increasingservices that areset
the working started byathe
size for Service
process Control the
decreases Manager
amount have the built-in
of physical Service
memory group added
available to theto their
rest acces
of the sy
Default: Administrators.
Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want
This security
Default: setting determines which accounts can use a process to keep data in physical memory, which prevents the system
Administrators
Backup Operators.
Default setting: None.
This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled,
Default: None computers, the only firmware environment value that can be modified by assigning this user right is the Last Kn
On x86-based
On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run boo
Remove
On computerthis
all enable
computers, from docking
user station
right is required to installhad
or upgrade Windows.
If you
Restore
This thisdirectories
files and
security setting,
setting programs
determines thatusers
which previously
and groupsthe canImpersonate privilege
run maintenance tasksmay
on lose it, andsuch
a volume, theyas may not run.
remote defragmenta
This security setting
Shut down the system determines whether a user can undock a portable computer from its docking station without logging on.
This
Use securitywhen
caution setting determines
assigning this which
user usersUsers
right. can bypass
with file,
this directory,
user right canregistry,
explore and other
disks and persistent
extend objects
files in to permissions
memory thatwhen
cont
This security
Replace setting
a process determines
level token which users can use performance monitoring tools to monitor the performance of nonsystem
If thissecurity
This policy issetting
enabled, the user which
determines must log on who
users before
areremoving
logged onthe portable
locally computer
to the computer from
canits docking
shut downstation. If this policy
the operating systemis ud
Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folde
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (A
Default:on
Default Administrators,
Workstations:Power Users, Users
Administrators, Backup Operators, Users.
Traverse Folder/Execute File
Default:
Synchronize
Write Network Service,
directory Local
service Service.
data
Default on Servers: Administrators, Backup Operators.
This security setting determines which users and groups have the authority to synchronize all directory service data. This is als
Caution
Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.
Defaults: None.
Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and ga
Caution
Default:

Workstations and servers: Administrators, Backup Operators.


Domain controllers: Administrators, Backup Operators, Server Operators.
Registry Information
Account Lockout Policy security settings are not registry keys.
Account Lockout Policy security settings are not registry keys.
Account Lockout Policy security settings are not registry keys.
Account Lockout Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Event Log security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
MACHINE\System\CurrentControlSet\Control\SAM\MinimumPasswordLengthAudit
Password Policy security settings are not registry keys.
MACHINE\System\CurrentControlSet\Control\SAM\RelaxMinimumPasswordLengthLimits
Password Policy security settings are not registry keys.
Not a registry key
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Not a registry key
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\VulnerableChannelAllowList
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity

MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerEnforceIntegrity
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange

MACHINE\System\CurrentControlSet\Control\SAM\RefuseDefaultMachinePwd
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System, value=DontDisplayLockedUserId
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableS4U2SelfForClaims
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientConfidentiality
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorEnhancedAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\TypeOfAdminApprovalMode
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys

User Rights security settings are not registry keys


User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
User Rights security settings are not registry keys
Comments Columna1 Columna2

Note:
Note: This
This setting
setting does
does not
not appear
appear in
in the
the Local
Local Computer
Computer Policy
Policy object.
object.
Important: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility informatio
Note:
Notes:This
Thissetting
settingdoes
doesnot
notappear
appearininthe
theLocal
LocalComputer
ComputerPolicy
Policyobject.
object.
This security
This security setting
setting affects
affects only
only computers
computers running
running Windows
Windows 2000,
2000, Windows
Windows Server
Server 2003,
2003, and
and Windows
Windows XP.
XP.
A user must possess the Manage auditing and security log user right
Note: This setting does not appear in the Local Computer Policy object. to acces
This security
Notes: settingdoes
This setting affects
notonly computers
appear running
in the Local Windows
Computer 2000,
Policy Windows Server 2003, and Windows XP.
object.
A user must possess the Manage auditing and security log user right to access the security log.
Notes: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
DOMAIN SECURITY
DOMAIN SECURITY
DOMAIN SECURITY
DOMAIN SECURITY
DOMAIN SECURITY
DOMAIN SECURITY
deberia estar en Domain pero no est
DOMAIN SECURITY
For the policy change to take effect, the spooler service needs to be stopped/restarted, but the system does not have to be re

Restart of service might be sufficient

Important: In order to take advantage of this policy on member workstations and servers, all domain controllers that constitut
In order to take advantage of this policy on doma

Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manage
Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manage
Important: This setting will apply to any computers running Windows 2000 through changes in the registry, but the security se
Only LogOff is required for W2K, XP and W2K3 computers. In Vista, start/restart the scpolicysvc will work or LogOff
Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled

Important: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled

Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions"

Important: The Network access: Remotely accessible registry paths security setting that appears on computers running Windo
Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you config

This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be
Important: This setting only affects computers running Windows XP Professional which are not joined to a domain.
This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descr

Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Wind
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Pr

Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Window
Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setti
Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setti

Require restart of recovery console


Require restart of recovery console
Requires logoff
Vista does NOT require reboot
Requires reboot with CNG on Vista; Does not require reboot with CAPI on Vista; Does not require reboot on XP, 2003 with CAP
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required
Logoff required
Logoff required COMPUTER
Logoff required
Logoff required COMPUTER
Logoff required
Logoff required
Logoff required
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required
Logoff required
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required
Logoff required
Logoff required
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required COMPUTER
Logoff required
Logoff required COMPUTER
Logoff required
Logoff required
Logoff required COMPUTER
Logoff required COMPUTER
Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family, t
Logoff required
Logoff required COMPUTER
Logoff required
Logoff required COMPUTER

Logoff required COMPUTER


Logoff required COMPUTER
Logoff required
Logoff required
Logoff required
Logoff required COMPUTER
Logoff required
Logoff required
Logoff required COMPUTER
or compatibility information about this setting, see the "Event Log: Maximum sec

a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.

main pero no est


tem does not have to be rebooted.

in controllers that constitute the member’s domain must be running Windows NT 4.0 Service Pack 6 or higher.

urity Configuration Manager tools on these computers.


urity Configuration Manager tools on these computers.
registry, but the security setting is not viewable through the Security Configuration Manager tool set.
ll work or LogOff
gning must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.

gning must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.

urity Settings Descriptions" in the Windows Server 2003 Help.

n computers running Windows XP corresponds to the Network access: Remotely accessible registry paths and subpaths security policy setti
egistry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inher

t security descriptor will be used. This policy is supported on at least Windows Server 2016.
ed to a domain.
h for "Security Setting Descriptions" in the Win

o previous versions of Windows, such as Microsoft Windows NT 4.0.

2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT
egistry but the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for
egistry but the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for

eboot on XP, 2003 with CAPI


ndows Server 2003 family, the Task Scheduler automatically grants this right as necessary.
Server 2003 Help.

Server 2003 Help.

ubpaths security policy setting on members of the Wi


domain, this setting is inherited by computers

puters running Windows NT 4.0 and earlier over the netwo


ore information, search for "Security Setting De
ore information, search for "Security Setting De
Policy Path
Account Logon
Account Logon
Account Logon
Account Logon
Account Management
Account Management
Account Management
Account Management
Account Management
Account Management
Detailed Tracking
Detailed Tracking
Detailed Tracking
Detailed Tracking
Detailed Tracking
Detailed Tracking
DS Access
DS Access
DS Access
DS Access
Global Object Access Auditing
Global Object Access Auditing
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Policy Change
Policy Change
Policy Change
Policy Change
Policy Change
Policy Change
Privilege Use
Privilege Use
Privilege Use
System
System
System
System
System
Policy Setting Name
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Token Right Adjusted
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
File system
Registry
Audit Account Lockout
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit User / Device Claims
Audit Application Generated
Audit Central Access Policy Staging
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Columna1 Windows 11
Validación de credenciales de auditoría Success and Failure
Auditoría del servicio de autenticación Kerberos
Auditoría de operaciones de tickets de servicio Kerberos
Auditar otros eventos de inicio de sesión de cuenta
Gestión de grupos de aplicaciones de auditoría
Auditoría Gestión de cuentas informáticas
Auditoría Gestión de grupos de distribución
Auditoría Otros eventos de gestión de cuentas
Auditoría Gestión de grupos de seguridad Success
Auditoría de la gestión de cuentas de usuario Success and Failure
Auditoría de la actividad DPAPI
Auditoría de la actividad PNP Success
Creación de procesos de auditoría Success
Finalización del proceso de auditoría
Auditoría de eventos RPC
Derecho de ficha de auditoría ajustado
Auditoría detallada de la replicación del servicio de directorio
Auditoría de acceso al servicio de directorio
Auditoría de cambios en el servicio de directorio
Replicación del servicio de directorio de auditoría
Sistema de archivos
Registro
Bloqueo de cuentas de auditoría Failure
Composición del Grupo de Auditoría Success
Auditoría IPsec Modo Extendido
Auditoría IPsec Modo Principal
Auditoría IPsec Modo Rápido
Auditoría de cierre de sesión
Auditoría de inicio de sesión Success and Failure
Servidor de políticas de red de auditoría
Auditar otros eventos de inicio/cierre de sesión Success and Failure
Inicio de sesión especial de auditoría Success
Auditoría de reclamaciones de usuarios/dispositivos
Solicitud de auditoría generada
Puesta a disposición de la política de acceso a la Central de Auditoría
Servicios de certificación de auditorías
Auditoría detallada de archivos compartidos Failure
Auditoría de archivos compartidos Success and Failure
Auditoría del sistema de archivos
Conexión de la plataforma de filtrado de auditorías
Plataforma de filtrado de auditoría Caída de paquetes
Manipulación del asa de auditoría
Objeto del núcleo de auditoría
Auditar otros eventos de acceso a objetos Success and Failure
Registro de auditoría
Auditoría de almacenamiento extraíble Success and Failure
Auditoría SAM
Auditoría Cambio de política de auditoría Success
Cambio de la política de autenticación de auditorí Success
Cambio en la política de autorización de auditorías
Cambio de política de la plataforma de filtrado de auditorías
Auditoría MPSSVC Cambio de política a nivel de reSuccess and Failure
Auditoría Otros eventos de cambio de política Failure
Auditoría del uso de privilegios no confidenciales
Auditoría de otros eventos de uso de privilegios
Auditoría del uso de privilegios sensibles Success
Auditoría del controlador IPsec
Auditar otros eventos del sistema Success and Failure
Auditoría de seguridad Cambio de estado Success
Extensión del sistema de seguridad de auditoría Success
Auditoría de la integridad del sistema Success and Failure
Policy Path
Domain Profile\State
Domain Profile\State
Domain Profile\State
Domain Profile\State
Domain Profile\Settings
Domain Profile\Settings
Domain Profile\Settings
Domain Profile\Settings
Domain Profile\Logging
Domain Profile\Logging
Domain Profile\Logging
Domain Profile\Logging
Private Profile\State
Private Profile\State
Private Profile\State
Private Profile\State
Private Profile\Settings
Private Profile\Settings
Private Profile\Settings
Private Profile\Settings
Private Profile\Logging
Private Profile\Logging
Private Profile\Logging
Private Profile\Logging
Public Profile\State
Public Profile\State
Public Profile\State
Public Profile\State
Public Profile\Settings
Public Profile\Settings
Public Profile\Settings
Public Profile\Settings
Public Profile\Logging
Public Profile\Logging
Public Profile\Logging
Public Profile\Logging
IPSec Settings\Ipsec defaults
IPSec Settings\Ipsec defaults
IPSec Settings\Ipsec defaults
IPSec Settings\Ipsec exemptions
IPSec Settings
Policy Setting Name
Firewall State
Inbound Connections
Outbound Connections
Protected network connections
Display a notification
Allow unicast response
Apply local firewall rules
Apply local connection security rules
Name
Size limit
Log dropped packets
Log successful connections
Firewall State
Inbound Connections
Outbound Connections
Protected network connections
Display a notification
Allow unicast response
Apply local firewall rules
Apply local connection security rules
Name
Size limit
Log dropped packets
Log successful connections
Firewall State
Inbound Connections
Outbound Connections
Protected network connections
Display a notification
Allow unicast response
Apply local firewall rules
Apply local connection security rules
Name
Size limit
Log dropped packets
Log successful connections
Key exchange
Data protection
Authentication method
Exempt ICMP from Ipsec
Ipsec tunnel authorization
Windows 11
On
Block
Allow

No

16384
Yes
Yes
On
Block
Allow

No

16384
Yes
Yes
On
Block
Allow

No

No
No

16384
Yes
Yes
Policy Path
System\Device Guard
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus\MAPS
Windows Components\Microsoft Defender Antivirus\MAPS
Windows Components\Microsoft Defender Antivirus\MAPS
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\MpEngine
Windows Components\Microsoft Defender Antivirus\MpEngine
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Scan
Windows Components\Microsoft Defender Antivirus\Scan
Policy Setting Name
Turn On Virtualization Based Security
Configure detection for potentially unwanted applications
Configure local administrator merge behavior for lists
Turn off routine remediation
Configure the 'Block at First Sight' feature
Join Microsoft MAPS
Send file samples when further analysis is required
Configure Attack Surface Reduction rules
Prevent users and apps from accessing dangerous websites
Configure extended cloud check
Select cloud protection level
Configure monitoring for incoming and outgoing file and program activity
Monitor file and program activity on your computer
Scan all downloaded files and attachments
Turn off real-time protection
Turn on behavior monitoring
Turn on process scanning whenever real-time protection is enabled
Turn on script scanning
Scan packed executables
Scan removable drives
Select Platform Security Level = Secure Boot
Virtualization Based Protection of Code Integrity = Enabled with UEFI lock
Require UEFI Memory Attributes Table = True
Enabled:
Credential Guard Configuration = Enabled with UEFI lock
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
Secure Launch Configuration = Enabled 1
3b576869-a4ec-4529-8536-b80a7769e899
Kernel-mode Hardware-enforced Stack Protection1 - Enabled in enforcement
Policy
mode Value
d4f940ab-401b-4efc-aadc-ad5f3c50688a 1
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B 1
5beb7efe-fd9a-4556-801d-275e5ffc04cc
Enabled: Block 1
d3e037e1-3eb8-44c8-a917-57927947596d 1
Disabled
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 1
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Disabled 1
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Enabled 1
26190899-1602-49e8-8b27-eb1d0a1ce869 1
Enabled: Advanced MAPS
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 1
c1db55ab-c21a-4637-bb3f-a12568109d35
Enabled: Send all samples 1
e6db77e5-3df2-4cf1-b95a-636979351e5b 1
56a863a9-875e-4185-98a7-b882c64b5ce5 1
Enabled: Block
Enabled: 50
Enabled: High blocking level
Enabled: bi-directional
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Registry Information
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity;
HKLM\Software\Policies\Microsoft\Windows Defender!PUAProtection; HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows Defender!DisableLocalAdminMerge
HKLM\Software\Policies\Microsoft\Windows Defender!DisableRoutinelyTakingAction
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!DisableBlockAtFirstSeen
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR!Explo
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network P
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpBafsExtendedTimeout; HKLM\
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpCloudBlockLevel; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!RealtimeScanDirection
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableOnAccessProte
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableIOAVProtectio
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRealtimeMonit
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableBehaviorMonit
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScanOnRealtim
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScriptScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisablePackedExeScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRemovableDriveScanning
Supported On
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 1607
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Vista
At least Windows Server 2016 Windows 10
At least Windows Vista
At least Windows Vista
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Vista
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
Help Text
Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervis
Enable or disable detection for potentially unwanted applications. You can choose to block audit
This policy setting controls whether or not complex list settings configured by a local administrator ar
This policy setting allows you to configure whether Microsoft Defender Antivirus automatically tak
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that h
This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is se
Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting you can set
Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from u
This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds
This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking an
This policy setting allows you to configure monitoring for incoming and outgoing files without having t
This policy setting allows you to configure monitoring for file and program activity. If you enable or
This policy setting allows you to configure scanning for all downloaded files and attachments. If yo
This policy turns off real-time protection in Microsoft Defender Antivirus. Real-time protection co
This policy setting allows you to configure behavior monitoring. If you enable or do not configure th
This policy setting allows you to configure process scanning when real-time protection is turned on. Th
This policy setting allows you to configure script scanning. If you enable or do not configure this sett
This policy setting allows you to configure scanning for packed executables. It is recommended that th
This policy setting allows you to manage whether or not to scan for malicious software and unwanted s
Columna1 Columna2
d Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Secur CREDENTIAL GUARD
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
DEFENDER ANTIVIRUS
CREDENTIAL GUARD
Policy Path
Start Menu and Taskbar\Notifications
Windows Components\Cloud Content
Windows Components\Internet Explorer
Policy Setting Name
Turn off toast notifications on the lock screen
Do not suggest third-party content in Windows spotlight
Turn on the auto-complete feature for user names and passwords on forms
Policy Value
Enabled
Enabled
Disabled
Registry Information
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplicationNotificationOnLockScre
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableThirdPartySuggestions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords; HKCU\Software\Policies\Microsoft\Intern
Supported On
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows 10
At least Internet Explorer 5.0
Help Text
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting applications will not
If you enable this policy Windows spotlight features like lock screen spotlight suggested apps in Start menu or Windows tips w
This AutoComplete feature can remember and suggest User names and passwords on Forms.If you enable this setting the use
his policy setting applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this polic
apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers. Users may still see sugg
orms.If you enable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto
do not configure this policy setting toast notifications on the lock screen are enabled and can be turned off by the administrator or user.
rs. Users may still see suggestions and tips to make them more productive with Microsoft features and apps.If you disable or do not config
ave passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to se
the administrator or user. No reboots or service restarts are required for this policy setting to take effect.
you disable or do not configure this policy Windows spotlight features may suggest apps and content from third-party software publishers
ave to decide whether to select "prompt me to save passwords".If you disable this setting the user cannot change "User name and passwo
rd-party software publishers in addition to Microsoft apps and content.
nge "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords
User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.If you do not configure thi
s.If you do not configure this setting the user has the freedom of turning on Auto complete for User name and passwords on forms and th
passwords on forms and the option of prompting to save passwords. To display this option the users open the Internet Options dialog bo
e Internet Options dialog box click the Contents Tab and click the Settings button.
Type
Scheduled Task
Services
Services
Services
Services
Name
XblGameSaveTask
Xbox Accessory Management Service
Xbox Live Auth Manager
Xbox Live Game Save
Xbox Live Networking Service
Windows 11
Disabled
Disabled
Disabled
Disabled
Disabled

You might also like