Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
Local Policy DoD Windows 10 STIG Comp v3r4
Data collected on: 4/3/2025 10:39:37 AM
General
Details
Domainsecurity.local
OwnerSECURITY\Domain Admins
Created4/2/2025 11:35:12 AM
Modified4/2/2025 11:35:34 AM
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions1 (AD), 1 (SYSVOL)
Unique ID{2930D0AE-C89D-4158-8430-09C4064086C8}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
None

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
SECURITY\Domain AdminsEdit settings, delete, modify securityNo
SECURITY\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Account Policies/Password Policy
PolicySetting
Enforce password history24 passwords remembered
Maximum password age60 days
Minimum password age1 days
Minimum password length14 characters
Password must meet complexity requirementsEnabled
Store passwords using reversible encryptionDisabled
Account Policies/Account Lockout Policy
PolicySetting
Account lockout duration15 minutes
Account lockout threshold3 invalid logon attempts
Reset account lockout counter after15 minutes
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkBUILTIN\Remote Desktop Users, BUILTIN\Administrators
Act as part of the operating system
Allow log on locallyBUILTIN\Users, BUILTIN\Administrators
Back up files and directoriesBUILTIN\Administrators
Change the system timeNT SERVICE\autotimesvc, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsNT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects
Create symbolic linksBUILTIN\Administrators
Debug programsBUILTIN\Administrators
Deny access to this computer from the networkBUILTIN\Guests
Deny log on as a batch job
Deny log on as a service
Deny log on locallyBUILTIN\Guests
Deny log on through Terminal ServicesBUILTIN\Guests
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote systemBUILTIN\Administrators
Impersonate a client after authenticationNT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Manage auditing and security logBUILTIN\Administrators
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Restore files and directoriesBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Administrator account statusDisabled
Accounts: Guest account statusDisabled
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Accounts: Rename administrator account"X_Admin"
Accounts: Rename guest account"Visitor"
Domain Member
PolicySetting
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Maximum machine account password age30 days
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive Logon
PolicySetting
Interactive logon: Message text for users attempting to log onYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations., -At any time, the USG may inspect and seize data stored on this IS., -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose., -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy., -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Interactive logon: Message title for users attempting to log on"US Department of Defense Warning Statement"
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Microsoft Network Server
PolicySetting
Microsoft network server: Digitally sign communications (always)Enabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Let Everyone permissions apply to anonymous usersDisabled
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsNegotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
System Cryptography
PolicySetting
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingEnabled
System Objects
PolicySetting
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
User Account Control
PolicySetting
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard usersAutomatically deny elevation requests
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Other
PolicySetting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Interactive logon: Machine inactivity limit900 seconds
Network access: Restrict clients allowed to make remote calls to SAM"O:BAG:BAD:(A;;RC;;;BA)"
Network security: Allow LocalSystem NULL session fallbackDisabled
Network security: Allow PKU2U authentication requests to this computer to use online identities. Disabled
Network security: Configure encryption types allowed for KerberosEnabled
DES_CBC_CRCDisabled
DES_CBC_MD5Disabled
RC4_HMAC_MD5Disabled
AES128_HMAC_SHA1Enabled
AES256_HMAC_SHA1Enabled
Future encryption typesEnabled
System Services
Secondary Logon (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationSuccess, Failure
Account Management
PolicySetting
Audit Security Group ManagementSuccess
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit PNP ActivitySuccess
Audit Process CreationSuccess, Failure
Logon/Logoff
PolicySetting
Audit Account LockoutFailure
Audit Group MembershipSuccess
Audit LogoffSuccess
Audit LogonSuccess, Failure
Audit Other Logon/Logoff EventsSuccess, Failure
Audit Special LogonSuccess
Object Access
PolicySetting
Audit Detailed File ShareFailure
Audit File ShareSuccess, Failure
Audit Other Object Access EventsSuccess, Failure
Audit Removable StorageSuccess, Failure
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess
Audit Authentication Policy ChangeSuccess
Audit Authorization Policy ChangeSuccess
Audit MPSSVC Rule-Level Policy ChangeSuccess, Failure
Audit Other Policy Change EventsFailure
Privilege Use
PolicySetting
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit IPsec DriverFailure
Audit Other System EventsSuccess, Failure
Audit Security State ChangeSuccess
Audit Security System ExtensionSuccess
Audit System IntegritySuccess, Failure
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
PolicySettingComment
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
MS Security Guide
PolicySettingComment
Apply UAC restrictions to local accounts on network logonsEnabled
Configure SMB v1 client driverEnabled
Configure MrxSmb10 driverDisable driver (recommended)
PolicySettingComment
Configure SMB v1 serverDisabled
Enable Structured Exception Handling Overwrite Protection (SEHOP)Enabled
Remove "Run As Different User" from context menusEnabled
WDigest Authentication (disabling may require KB2871997)Disabled
MSS (Legacy)
PolicySettingComment
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingIPv6Highest protection, source routing is completely disabled
PolicySettingComment
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingHighest protection, source routing is completely disabled
PolicySettingComment
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
Network/Lanman Workstation
PolicySettingComment
Enable insecure guest logonsDisabled
Network/Network Connections
PolicySettingComment
Prohibit use of Internet Connection Sharing on your DNS domain networkEnabled
Network/SSL Configuration Settings
PolicySettingComment
ECC Curve OrderEnabled
Type the ECC curve names in the preferred order (one curve name per line)
ECC Curve Order:NistP384
NistP256
Network/Windows Connection Manager
PolicySettingComment
Minimize the number of simultaneous connections to the Internet or a Windows DomainEnabled
Minimize Policy Options3 = Prevent Wi-Fi when on Ethernet
PolicySettingComment
Prohibit connection to non-domain networks when connected to domain authenticated networkEnabled
Network/WLAN Service/WLAN Settings
PolicySettingComment
Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid servicesDisabled
System/Audit Process Creation
PolicySettingComment
Include command line in process creation eventsEnabled
System/Credentials Delegation
PolicySettingComment
Remote host allows delegation of non-exportable credentialsEnabled
System/Device Guard
PolicySettingComment
Turn On Virtualization Based SecurityEnabled
Select Platform Security Level:Secure Boot
Virtualization Based Protection of Code Integrity:Enabled with UEFI lock
Require UEFI Memory Attributes TableDisabled
Credential Guard Configuration:Enabled with UEFI lock
Secure Launch Configuration:Not Configured
System/Early Launch Antimalware
PolicySettingComment
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized:Good, unknown and bad but critical
System/Group Policy
PolicySettingComment
Configure registry policy processingEnabled
Do not apply during periodic background processingDisabled
Process even if the Group Policy objects have not changedEnabled
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off downloading of print drivers over HTTPEnabled
Turn off Internet download for Web publishing and online ordering wizardsEnabled
Turn off printing over HTTPEnabled
System/Kernel DMA Protection
PolicySettingComment
Enumeration policy for external devices incompatible with Kernel DMA ProtectionEnabled
Enumeration policyBlock all
System/LAPS
PolicySettingComment
Password SettingsEnabled
Password ComplexityLarge letters + small letters + numbers + specials
Password Length14
Password Age (Days)60
System/Logon
PolicySettingComment
Do not display network selection UIEnabled
Turn on convenience PIN sign-inDisabled
System/PIN Complexity
PolicySettingComment
Minimum PIN lengthEnabled
Minimum PIN length6
System/Power Management/Sleep Settings
PolicySettingComment
Require a password when a computer wakes (on battery)Enabled
Require a password when a computer wakes (plugged in)Enabled
System/Remote Assistance
PolicySettingComment
Configure Solicited Remote AssistanceDisabled
System/Remote Procedure Call
PolicySettingComment
Restrict Unauthenticated RPC clientsEnabled
RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
Windows Components/App Privacy
PolicySettingComment
Let Windows apps activate with voice while the system is lockedEnabled
Default for all apps:Force Deny
Windows Components/App runtime
PolicySettingComment
Allow Microsoft accounts to be optionalEnabled
Windows Components/Application Compatibility
PolicySettingComment
Turn off Inventory CollectorEnabled
Windows Components/AutoPlay Policies
PolicySettingComment
Disallow Autoplay for non-volume devicesEnabled
Set the default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/Biometrics/Facial Features
PolicySettingComment
Configure enhanced anti-spoofingEnabled
Windows Components/BitLocker Drive Encryption/Operating System Drives
PolicySettingComment
Configure minimum PIN length for startupEnabled
Minimum characters:6
PolicySettingComment
Require additional authentication at startupEnabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)Enabled
Settings for computers with a TPM:
Configure TPM startup:Allow TPM
Configure TPM startup PIN:Require startup PIN with TPM
Configure TPM startup key:Allow startup key with TPM
Configure TPM startup key and PIN:Allow startup key and PIN with TPM
Windows Components/Cloud Content
PolicySettingComment
Turn off Microsoft consumer experiencesEnabled
Windows Components/Credential User Interface
PolicySettingComment
Enumerate administrator accounts on elevationDisabled
Windows Components/Data Collection and Preview Builds
PolicySettingComment
Allow TelemetryEnabled
2 - Enhanced
Windows Components/Delivery Optimization
PolicySettingComment
Download ModeEnabled
Download Mode:LAN (1)
Windows Components/Event Log Service/Application
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)1024000
Windows Components/Event Log Service/System
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/File Explorer
PolicySettingComment
Turn off Data Execution Prevention for ExplorerDisabled
Turn off heap termination on corruptionDisabled
Turn off shell protocol protected modeDisabled
Windows Components/Internet Explorer
PolicySettingComment
Disable Internet Explorer 11 as a standalone browserEnabled
Notify that Internet Explorer 11 browser is disabledNever
Windows Components/Microsoft Edge
PolicySettingComment
Configure Password ManagerDisabled
Prevent bypassing Windows Defender SmartScreen prompts for filesEnabled
Prevent certificate error overridesEnabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
PolicySettingComment
Do not allow passwords to be savedEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
PolicySettingComment
Do not allow drive redirectionEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Always prompt for password upon connectionEnabled
Require secure RPC communicationEnabled
Set client connection encryption levelEnabled
Encryption LevelHigh Level
Choose the encryption level from the drop-down list.
Windows Components/RSS Feeds
PolicySettingComment
Prevent downloading of enclosuresEnabled
Turn on Basic feed authentication over HTTPDisabled
Windows Components/Search
PolicySettingComment
Allow indexing of encrypted filesDisabled
Windows Components/Windows Defender SmartScreen/Explorer
PolicySettingComment
Configure Windows Defender SmartScreenEnabled
Pick one of the following settings:Warn and prevent bypass
Windows Components/Windows Defender SmartScreen/Microsoft Edge
PolicySettingComment
Configure Windows Defender SmartScreenEnabled
Prevent bypassing Windows Defender SmartScreen prompts for sitesEnabled
Windows Components/Windows Game Recording and Broadcasting
PolicySettingComment
Enables or disables Windows Game Recording and BroadcastingDisabled
Windows Components/Windows Hello for Business
PolicySettingComment
Use a hardware security deviceEnabled
Do not use the following security devices:
TPM 1.2Disabled
Windows Components/Windows Ink Workspace
PolicySettingComment
Allow Windows Ink WorkspaceEnabled
Choose one of the following actions 
Windows Components/Windows Installer
PolicySettingComment
Allow user control over installsDisabled
Always install with elevated privilegesDisabled
Prevent Internet Explorer security prompt for Windows Installer scriptsDisabled
Windows Components/Windows Logon Options
PolicySettingComment
Sign-in and lock last interactive user automatically after a restartDisabled
Windows Components/Windows PowerShell
PolicySettingComment
Turn on PowerShell Script Block LoggingEnabled
Log script block invocation start / stop events:Disabled
PolicySettingComment
Turn on PowerShell TranscriptionEnabled
Transcript output directoryC:\ProgramData\PS_Transcript
Include invocation headers:Disabled
Windows Components/Windows Remote Management (WinRM)/WinRM Client
PolicySettingComment
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow Digest authenticationEnabled
Windows Components/Windows Remote Management (WinRM)/WinRM Service
PolicySettingComment
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow WinRM from storing RunAs credentialsEnabled
User Configuration (Disabled)
No settings defined.