Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
_OE-C-MSSCT-PaT-LDA-BSI-merge-2004
Data collected on: 04.10.2021 18:22:40
General
Details
Domainkit.edu
OwnerKIT\Domain Admins
Created28.09.2021 13:41:08
Modified28.09.2021 13:41:08
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions1 (AD), 1 (SYSVOL)
Unique ID{DC018351-0B6E-4B19-86CD-C464B9083159}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
BSI-TestNoEnabledkit.edu/KIT/Staff/SCC/Betrieb/CMK/Rechnerkonten/BSI-Test
TCS_GPO_TestNoEnabledkit.edu/KIT/Staff/SCC/Dienste/FMC/Rechnerkonten/TCS_GPO_Test

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
KIT\Domain AdminsEdit settings, delete, modify securityNo
KIT\Domain ComputersReadNo
KIT\Enterprise AdminsEdit settings, delete, modify securityNo
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkBUILTIN\Remote Desktop Users, BUILTIN\Administrators
Act as part of the operating system
Allow log on locallyBUILTIN\Users, BUILTIN\Administrators
Back up files and directoriesBUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsNT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators
Create permanent shared objects
Debug programsBUILTIN\Administrators
Deny access to this computer from the networkNT AUTHORITY\Local account
Deny log on as a batch jobLogonBatchDeny
Deny log on as a serviceLogonServiceDeny
Deny log on locallyLogonLocallyDeny
Deny log on through Terminal ServicesLogonRDPDeny, NT AUTHORITY\Local account
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote systemBUILTIN\Administrators
Impersonate a client after authenticationNT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Manage auditing and security logBUILTIN\Administrators
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Restore files and directoriesBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Interactive Logon
PolicySetting
Interactive logon: Do not require CTRL+ALT+DELDisabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)2 logons
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsNegotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
System Objects
PolicySetting
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
User Account Control
PolicySetting
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard usersPrompt for credentials on the secure desktop
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Other
PolicySetting
Accounts: Block Microsoft accountsUsers can't add or log on with Microsoft accounts
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Maximum machine account password age30 days
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive logon: Machine inactivity limit900 seconds
Microsoft network server: Digitally sign communications (always)Enabled
Network access: Restrict clients allowed to make remote calls to SAM"O:BAG:BAD:(A;;RC;;;BA)"
Network security: Allow LocalSystem NULL session fallbackDisabled
System Services
Connected User Experiences and Telemetry (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
MrxSmb10 (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Registry (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Microsoft Account Sign-in Assistant (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XblAuthManager (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XblGameSave (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XboxGipSvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XboxNetApiSvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
File System
%SystemDrive%\
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowEveryoneRead and ExecuteThis folder only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsEnabled
Auditing
No auditing specified
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell_ise.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationSuccess, Failure
Account Management
PolicySetting
Audit Security Group ManagementSuccess
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit PNP ActivitySuccess
Audit Process CreationSuccess
Logon/Logoff
PolicySetting
Audit Account LockoutFailure
Audit Group MembershipSuccess
Audit LogonSuccess, Failure
Audit Other Logon/Logoff EventsSuccess, Failure
Audit Special LogonSuccess
Object Access
PolicySetting
Audit Detailed File ShareFailure
Audit File ShareSuccess, Failure
Audit Other Object Access EventsSuccess, Failure
Audit Removable StorageSuccess, Failure
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess
Audit Authentication Policy ChangeSuccess
Audit MPSSVC Rule-Level Policy ChangeSuccess, Failure
Audit Other Policy Change EventsFailure
Privilege Use
PolicySetting
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit Other System EventsSuccess, Failure
Audit Security State ChangeSuccess
Audit Security System ExtensionSuccess
Audit System IntegritySuccess, Failure
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel
PolicySettingComment
Allow Online TipsDisabled
Control Panel/Personalization
PolicySettingComment
Do not display the lock screenEnabled
Force a specific default lock screen and logon imageEnabled
Path to lock screen image:C:\windows\web\screen\img105.jpg
Example: Using a local path: C:\windows\web\screen\lockscreen.jpg
Example: Using a UNC path: \\Server\Share\Corp.jpg
Turn off fun facts, tips, tricks, and more on lock screenEnabled
PolicySettingComment
Prevent changing lock screen and logon imageEnabledBSI
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
Control Panel/Regional and Language Options
PolicySettingComment
Allow users to enable online speech recognition servicesDisabledBSI
Control Panel/Regional and Language Options/Handwriting personalization
PolicySettingComment
Turn off automatic learningEnabled
gp-Pack: Privacy and Telemetry
PolicySettingComment
23. Turn off sending data by MRTEnabled
LAPS
PolicySettingComment
Enable local admin password managementEnabled
Password SettingsEnabled
Password ComplexityLarge letters + small letters + numbers
Password Length20
Password Age (Days)180
MS Security Guide
PolicySettingComment
Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)Enabled
Configure LanmanWorkstation dependenciesBowser
MRxSmb20
NSI
PolicySettingComment
Configure SMB v1 client driverEnabled
Configure MrxSmb10 driverDisable driver (recommended)
PolicySettingComment
Configure SMB v1 serverDisabled
Enable Structured Exception Handling Overwrite Protection (SEHOP)Enabled
MSS (Legacy)
PolicySettingComment
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingIPv6Highest protection, source routing is completely disabled
PolicySettingComment
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingHighest protection, source routing is completely disabled
PolicySettingComment
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
Network/Fonts
PolicySettingComment
Enable Font ProvidersDisabled
Network/Lanman Workstation
PolicySettingComment
Enable insecure guest logonsDisabled
Network/Link-Layer Topology Discovery
PolicySettingComment
Turn on Mapper I/O (LLTDIO) driverDisabledBSI
Turn on Responder (RSPNDR) driverDisabledBSI
Network/Microsoft Peer-to-Peer Networking Services
PolicySettingComment
Turn off Microsoft Peer-to-Peer Networking ServicesEnabledBSI, Delivery Optimisation? WUpdate? Testen
Network/Network Connections
PolicySettingComment
Prohibit installation and configuration of Network Bridge on your DNS domain networkEnabledBSI
Prohibit use of Internet Connection Sharing on your DNS domain networkEnabledWDAG - Windows Defender Application Guard benötigt ICS als NAT Device für den Internet Zugriff
Network/Network Connectivity Status Indicator
PolicySettingComment
Specify corporate DNS probe host nameEnabledStatt MS an den BND berichten :-D
Corporate DNS Probe Hostname:www.bnd.bund.de
Specify a corporate host name to resolve
to probe for corporate connectivity.
Example:
ncsi.corp.microsoft.com
PolicySettingComment
Specify corporate Website probe URLEnabled
Corporate Website Probe URL:http://www.bnd.bund.de
Specify the URL of the corporate website to
use to probe for corporate connectivity.
Example:
http://ncsi.corp.microsoft.com/
PolicySettingComment
Specify domain location determination URLEnabled
Corporate Domain Location Determination URL:https://www.bnd.bund.de
Specify the HTTPS URL of the corporate website to
use to determine inside or outside domain location.
Example:
https://nid.corp.microsoft.com/
Network/Network Provider
PolicySettingComment
Hardened UNC PathsEnabled
Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resource. To secure all access to a share with a particular name, regardless of the server name, specify a server name of '*' (asterisk). For example, "\\*\NETLOGON". To secure all access to all shares hosted on a server, the share name portion of the UNC path may be omitted. For example, "\\SERVER". In the value field, specify one or more of the following options, separated by commas: 'RequireMutualAuthentication=1': Mutual authentication between the client and server is required to ensure the client connects to the correct server. 'RequireIntegrity=1': Communication between the client and server must employ an integrity mechanism to prevent data tampering. 'RequirePrivacy=1': Communication between the client and the server must be encrypted to prevent third parties from observing sensitive data.
Hardened UNC Paths: 
\\*\SYSVOLRequireMutualAuthentication=1,RequireIntegrity=1
\\*\NETLOGONRequireMutualAuthentication=1,RequireIntegrity=1
You should require both Integrity and Mutual Authentication for any UNC paths that host executable programs, script files, or files that control security policies. Consider hosting files that do not require Integrity or Privacy on separate shares from those that absolutely need such security for optimal performance. For additional details on configuring Windows computers to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.
Network/TCPIP Settings/IPv6 Transition Technologies
PolicySettingComment
Set Teredo StateDisabled
Network/Windows Connect Now
PolicySettingComment
Configuration of wireless settings using Windows Connect NowDisabledBSI
Prohibit access of the Windows Connect Now wizardsEnabledBSI
Network/Windows Connection Manager
PolicySettingComment
Minimize the number of simultaneous connections to the Internet or a Windows DomainEnabledBSI
Minimize Policy Options1 = Minimize simultaneous connections
PolicySettingComment
Prohibit connection to non-domain networks when connected to domain authenticated networkEnabled
Network/WLAN Service/WLAN Settings
PolicySettingComment
Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid servicesDisabled
SCM: Pass the Hash Mitigations
PolicySettingComment
Apply UAC restrictions to local accounts on network logonsNot ConfiguredAktiviert: Verhindert Zugriff auf C$ bei aktivierter UAC. In den meisten Netzwerken nicht realistisch
WDigest Authentication (disabling may require KB2871997)DisabledWDigest authentication is disabled in Windows 8.1
Start Menu and Taskbar/Notifications
PolicySettingComment
Turn off notifications network usageEnabled
System/Audit Process Creation
PolicySettingComment
Include command line in process creation eventsDisabledBSI
System/Credentials Delegation
PolicySettingComment
Encryption Oracle RemediationEnabled
Protection Level:Force Updated Clients
PolicySettingComment
Remote host allows delegation of non-exportable credentialsEnabled
System/Device Guard
PolicySettingComment
Turn On Virtualization Based SecurityEnabled
Select Platform Security Level:Secure Boot and DMA Protection
Virtualization Based Protection of Code Integrity:Enabled without lock
Require UEFI Memory Attributes TableDisabled
Credential Guard Configuration:Enabled without lock
Secure Launch Configuration:Not Configured
System/Device Installation
PolicySettingComment
Prevent device metadata retrieval from the InternetEnabled
System/Device Installation/Device Installation Restrictions
PolicySettingComment
Prevent installation of devices that match any of these device IDsNot ConfiguredVerhindert USB-C Docking, ab 1803 nicht mehr notwendig
https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt
Prevent installation of devices using drivers that match these device setup classesNot ConfiguredVerhindert USB-C Docking, ab 1803 nicht mehr notwendig
https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt
System/Early Launch Antimalware
PolicySettingComment
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized:Good, unknown and bad but critical
System/Group Policy
PolicySettingComment
Configure registry policy processingNot ConfiguredBSI und alle anderen :-(
HKCU\Software\Policies ist sicher vor Manipulation. Siehe Registry DAC. Das ist das GP Infrastruktur Konzept. Übernahme der registry.pol bei jeder Anmeldung und jedem Update alle 90 Minuten erzeugt unnötigen Traffic und Last. Wenn die Werte nicht verändert werden können, müssen sie nur gesetzt werden, wenn die GPO aktualisiert wird. Das ist das Versionierung Konzept der GPO.

Es ist kein Schutz vor der Manipulation durch einen Administrator.
Configure web-to-app linking with app URI handlersDisabled
Continue experiences on this deviceDisabled
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off access to the StoreEnabled
Turn off downloading of print drivers over HTTPEnabledBSI
Turn off handwriting personalization data sharingEnabledBSI
Turn off handwriting recognition error reportingEnabledBSI
Turn off Internet download for Web publishing and online ordering wizardsEnabled
Turn off printing over HTTPEnabledBSI
Turn off Registration if URL connection is referring to Microsoft.comEnabledBSI
Turn off Search Companion content file updatesEnabledBSI
Turn off the "Order Prints" picture taskEnabledBSI
Turn off the "Publish to Web" task for files and foldersEnabledBSI
Turn off Windows Customer Experience Improvement ProgramEnabled
Turn off Windows Error ReportingEnabled
Turn off Windows Network Connectivity Status Indicator active testsNot Configured.\Netzwerk\Netzwerkverbindungs-Statusanzeige\
verweis auf http://www.bnd.bund.de anstelle MS :-)
FIRMENWEBSEITE VERWENDEN!
System/Kernel DMA Protection
PolicySettingComment
Enumeration policy for external devices incompatible with Kernel DMA ProtectionEnabled
Enumeration policyBlock all
System/Locale Services
PolicySettingComment
Disallow copying of user input methods to the system account for sign-inEnabledBSI
System/Logon
PolicySettingComment
Block user from showing account details on sign-inEnabledBSI
Do not display network selection UIEnabledBSI
Do not enumerate connected users on domain-joined computersEnabledBSI
Enumerate local users on domain-joined computersDisabled
Turn off app notifications on the lock screenEnabledBSI
Turn off picture password sign-inEnabledBSI
Turn on convenience PIN sign-inEnabledDeaktiviert (BSI): Ist notwendig für Windows Hello. Hello empfohlen, individuelle PIN pro System. Reduktion der Kennworteingabe
System/Mitigation Options
PolicySettingComment
Untrusted Font BlockingEnabledVerhindert die Installation der Fonts per Drag&Drop. Installation nur als SYSTEM oder über Kontext "Für alle Benutzer installieren". Reboot notwendig
BSI, Achtung das gibt es auch als Regel im Exploit Guard, ehemals EMET, dann steht es in einem XML File, das per GPO zugewiesen wird.
Mitigation OptionsLog events without blocking untrusted fonts
System/OS Policies
PolicySettingComment
Allow publishing of User ActivitiesDisabled
Allow upload of User ActivitiesDisabled
Enables Activity FeedDisabled
System/Power Management/Sleep Settings
PolicySettingComment
Allow standby states (S1-S3) when sleeping (on battery)Disabled
Allow standby states (S1-S3) when sleeping (plugged in)Disabled
Require a password when a computer wakes (on battery)Enabled
Require a password when a computer wakes (plugged in)Enabled
System/Remote Assistance
PolicySettingComment
Configure Offer Remote AssistanceDisabledBSI
Configure Solicited Remote AssistanceDisabled
System/Remote Procedure Call
PolicySettingComment
Enable RPC Endpoint Mapper Client AuthenticationEnabledBSI
Restrict Unauthenticated RPC clientsEnabledWDAG - "Authentifiziert ohne Ausnahmen" (BSI,MSSCT) verhindert den Internetzugriff der Sandbox. Die VM kann sich nicht anmelden und dann ICS nicht nutzen. Für WDAG auf "Keine" oder "Authentifiziert" stellen
RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
System/Storage Health
PolicySettingComment
Allow downloading updates to the Disk Failure Prediction ModelDisabled
System/Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool
PolicySettingComment
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support providerDisabledBSI
System/Troubleshooting and Diagnostics/Windows Performance PerfTrack
PolicySettingComment
Enable/Disable PerfTrackDisabledBSI
System/User Profiles
PolicySettingComment
Turn off the advertising IDEnabled
Windows Components/App Package Deployment
PolicySettingComment
Allow a Windows app to share application data between usersDisabled
Windows Components/App Privacy
PolicySettingComment
Let Windows apps access account informationEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access an eye tracker deviceEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access call historyEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access contactsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access diagnostic information about other appsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access emailEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access locationEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access messagingEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access motionEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access notificationsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access TasksEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access the calendarEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access the cameraEnabledVideo Konferenzen!
Default for all apps:User is in control
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access the microphoneEnabledVideo Konferenzen!
Default for all apps:User is in control
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access trusted devicesEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps activate with voiceEnabled
Default for all apps:User is in control
PolicySettingComment
Let Windows apps activate with voice while the system is lockedEnabled
Default for all apps:User is in control
PolicySettingComment
Let Windows apps communicate with unpaired devicesEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps control radiosEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps make phone callsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps run in the backgroundEnabled
Default for all apps:User is in control
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
Windows Components/App runtime
PolicySettingComment
Allow Microsoft accounts to be optionalEnabled
Block launching Universal Windows apps with Windows Runtime API access from hosted content.EnabledBSI, APPS mit Geolocation: zB Amazon.PrimeVideo startet nicht. Fehlermeldung wie bei SRP: Die App wurde vom Administrator deaktiviert.
Quelle Apps, ID 5961, Microsoft\Windows\Apps\Microsoft-Windows-TWinUI/Operational
Aktivierungsfehler bei AmazonVideo.PrimeVideo_pwbj9vvecjh7j!App.
Fehlercode: Dieses Programm wurde durch eine Gruppenrichtlinie geblockt.
Wenden Sie sich an den Systemadministrator, um weitere Informationen zu
erhalten.. Aktivierungsphase: Policy check
Windows Components/Application Compatibility
PolicySettingComment
Turn off Application TelemetryEnabled
Turn off Inventory CollectorEnabled
Turn off Steps RecorderEnabled
Windows Components/AutoPlay Policies
PolicySettingComment
Disallow Autoplay for non-volume devicesEnabled
Set the default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/Biometrics/Facial Features
PolicySettingComment
Configure enhanced anti-spoofingEnabled
Windows Components/BitLocker Drive Encryption
PolicySettingComment
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)EnabledBSI
1903: Removed, set to 128
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084
Select the encryption method for operating system drives:XTS-AES 256-bit
Select the encryption method for fixed data drives:XTS-AES 256-bit
Select the encryption method for removable data drives:AES-CBC 256-bit
PolicySettingComment
Disable new DMA devices when this computer is lockedEnabled
Windows Components/BitLocker Drive Encryption/Fixed Data Drives
PolicySettingComment
Allow access to BitLocker-protected fixed data drives from earlier versions of WindowsDisabledBSI
Choose how BitLocker-protected fixed drives can be recoveredEnabledBSI
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for fixed data drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Backup recovery passwords only
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drivesEnabled
PolicySettingComment
Configure use of hardware-based encryption for fixed data drivesDisabledHardware Hersteller Firmware Problem.
https://www.borncity.com/blog/2018/11/06/ssd-schwachstelle-hebelt-bitlocker-verschlsselung-aus/
Configure use of passwords for fixed data drivesDisabledBSI
Windows Components/BitLocker Drive Encryption/Operating System Drives
PolicySettingComment
Allow enhanced PINs for startupEnabled
Allow Secure Boot for integrity validationEnabledBSI
Choose how BitLocker-protected operating system drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for operating system drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drivesEnabled
PolicySettingComment
Configure minimum PIN length for startupEnabledBSI
Minimum characters:10
PolicySettingComment
Configure use of hardware-based encryption for operating system drivesDisabledHardware Hersteller Firmware Problem.
https://www.borncity.com/blog/2018/11/06/ssd-schwachstelle-hebelt-bitlocker-verschlsselung-aus/
Configure use of passwords for operating system drivesDisabledBSI
Enforce drive encryption type on operating system drivesEnabled
Select the encryption type:Used Space Only encryption
PolicySettingComment
Require additional authentication at startupEnabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)Disabled
Settings for computers with a TPM:
Configure TPM startup:Allow TPM
Configure TPM startup PIN:Allow startup PIN with TPM
Configure TPM startup key:Allow startup key with TPM
Configure TPM startup key and PIN:Allow startup key and PIN with TPM
Windows Components/BitLocker Drive Encryption/Removable Data Drives
PolicySettingComment
Allow access to BitLocker-protected removable data drives from earlier versions of WindowsEnabled
Do not install BitLocker To Go Reader on FAT formatted removable drivesDisabled
PolicySettingComment
Configure use of hardware-based encryption for removable data drivesDisabledHardware Hersteller Firmware Problem.
https://www.borncity.com/blog/2018/11/06/ssd-schwachstelle-hebelt-bitlocker-verschlsselung-aus/
Deny write access to removable drives not protected by BitLockerEnabled
Do not allow write access to devices configured in another organizationDisabled
Windows Components/Cloud Content
PolicySettingComment
Do not show Windows tipsEnabled
Turn off Microsoft consumer experiencesEnabled
Windows Components/Connect
PolicySettingComment
Don't allow this PC to be projected toEnabledBSI
Windows Components/Credential User Interface
PolicySettingComment
Do not display the password reveal buttonEnabledBSI
Enumerate administrator accounts on elevationDisabled
Windows Components/Data Collection and Preview Builds
PolicySettingComment
Allow TelemetryEnabled
0 - Security [Enterprise Only]
PolicySettingComment
Configure the Commercial IDDisabled
Do not show feedback notificationsEnabled
Limit Enhanced diagnostic data to the minimum required by Windows AnalyticsDisabled
Windows Components/Delivery Optimization
PolicySettingComment
Download ModeEnabled
Download Mode:Group (2)
Windows Components/Event Log Service/Application
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/Event Log Service/Setup
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/System
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/File Explorer
PolicySettingComment
Turn off Data Execution Prevention for ExplorerDisabled
Turn off heap termination on corruptionEnabledBSI
Turn off shell protocol protected modeEnabledBSI
Windows Components/Find My Device
PolicySettingComment
Turn On/Off Find My DeviceDisabled
Windows Components/Internet Explorer
PolicySettingComment
Allow Microsoft services to provide enhanced suggestions as the user types in the Address barDisabledBSI
Disable Periodic Check for Internet Explorer software updatesEnabledBSI
Prevent bypassing SmartScreen Filter warningsEnabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetEnabled
Prevent managing SmartScreen FilterEnabled
Select SmartScreen Filter modeOff
PolicySettingComment
Prevent per-user installation of ActiveX controlsEnabled
Security Zones: Do not allow users to add/delete sitesEnabled
Security Zones: Do not allow users to change policiesEnabled
Specify use of ActiveX Installer Service for installation of ActiveX controlsEnabled
Turn off browser geolocationEnabledBSI
Turn off Crash DetectionEnabled
Turn off the auto-complete feature for web addressesEnabledBSI
Turn off the Security Settings Check featureDisabled
Turn on Suggested SitesDisabledBSI
Windows Components/Internet Explorer/Compatibility View
PolicySettingComment
Turn off Compatibility ViewEnabled
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
PolicySettingComment
Allow software to run or install even if the signature is invalidDisabled
Check for server certificate revocationEnabled
Check for signatures on downloaded programsEnabled
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabledEnabled
Turn off encryption supportEnabled
Secure Protocol combinationsUse TLS 1.1 and TLS 1.2
PolicySettingComment
Turn off the flip ahead with page prediction featureEnabled
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of WindowsEnabled
Turn on Enhanced Protected ModeEnabled
Windows Components/Internet Explorer/Internet Control Panel/Security Page
PolicySettingComment
Intranet Sites: Include all network paths (UNCs)Enabled
Turn on certificate address mismatch warningEnabled
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
PolicySettingComment
Access data sources across domainsEnabled
Access data sources across domainsDisable
PolicySettingComment
Allow cut, copy or paste operations from the clipboard via scriptEnabled
Allow paste operations via scriptDisable
PolicySettingComment
Allow drag and drop or copy and paste filesEnabled
Allow drag and drop or copy and paste filesDisable
PolicySettingComment
Allow loading of XAML filesEnabled
XAML FilesDisable
PolicySettingComment
Allow only approved domains to use ActiveX controls without promptEnabled
Only allow approved domains to use ActiveX controls without promptEnable
PolicySettingComment
Allow only approved domains to use the TDC ActiveX controlEnabled
Only allow approved domains to use the TDC ActiveX controlEnable
PolicySettingComment
Allow scripting of Internet Explorer WebBrowser controlsEnabled
Internet Explorer web browser controlDisable
PolicySettingComment
Allow script-initiated windows without size or position constraintsEnabled
Allow script-initiated windows without size or position constraintsDisable
PolicySettingComment
Allow scriptletsEnabled
ScriptletsDisable
PolicySettingComment
Allow updates to status bar via scriptEnabled
Status bar updates via scriptDisable
PolicySettingComment
Allow VBScript to run in Internet ExplorerEnabled
Allow VBScript to run in Internet ExplorerDisable
PolicySettingComment
Automatic prompting for file downloadsEnabled
Automatic prompting for file downloadsDisable
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Download signed ActiveX controlsEnabled
Download signed ActiveX controlsDisable
PolicySettingComment
Download unsigned ActiveX controlsEnabled
Download unsigned ActiveX controlsDisable
PolicySettingComment
Enable dragging of content from different domains across windowsEnabled
Enable dragging of content from different domains across windowsDisable
PolicySettingComment
Enable dragging of content from different domains within a windowEnabled
Enable dragging of content from different domains within a windowDisable
PolicySettingComment
Include local path when user is uploading files to a serverEnabled
Include local directory path when uploading files to a serverDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
PolicySettingComment
Launching applications and files in an IFRAMEEnabled
Launching applications and files in an IFRAMEDisable
PolicySettingComment
Logon optionsEnabled
Logon optionsPrompt for user name and password
PolicySettingComment
Navigate windows and frames across different domainsEnabled
Navigate windows and frames across different domainsDisable
PolicySettingComment
Run .NET Framework-reliant components not signed with AuthenticodeEnabled
Run .NET Framework-reliant components not signed with AuthenticodeDisable
PolicySettingComment
Run .NET Framework-reliant components signed with AuthenticodeEnabled
Run .NET Framework-reliant components signed with AuthenticodeDisable
PolicySettingComment
Show security warning for potentially unsafe filesEnabled
Launching programs and unsafe filesPrompt
PolicySettingComment
Turn on Cross-Site Scripting FilterEnabled
Turn on Cross-Site Scripting (XSS) FilterEnable
PolicySettingComment
Turn on Protected ModeEnabled
Protected ModeEnable
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
PolicySettingComment
Use Pop-up BlockerEnabled
Use Pop-up BlockerEnable
PolicySettingComment
Userdata persistenceEnabled
Userdata persistenceDisable
PolicySettingComment
Web sites in less privileged Web content zones can navigate into this zoneEnabled
Web sites in less privileged Web content zones can navigate into this zoneDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsHigh safety
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
PolicySettingComment
Access data sources across domainsEnabled
Access data sources across domainsDisable
PolicySettingComment
Allow active scriptingEnabled
Allow active scriptingDisable
PolicySettingComment
Allow binary and script behaviorsEnabled
Allow Binary and Script BehaviorsDisable
PolicySettingComment
Allow cut, copy or paste operations from the clipboard via scriptEnabled
Allow paste operations via scriptDisable
PolicySettingComment
Allow drag and drop or copy and paste filesEnabled
Allow drag and drop or copy and paste filesDisable
PolicySettingComment
Allow file downloadsEnabled
Allow file downloadsDisable
PolicySettingComment
Allow loading of XAML filesEnabled
XAML FilesDisable
PolicySettingComment
Allow META REFRESHEnabled
Allow META REFRESHDisable
PolicySettingComment
Allow only approved domains to use ActiveX controls without promptEnabled
Only allow approved domains to use ActiveX controls without promptEnable
PolicySettingComment
Allow only approved domains to use the TDC ActiveX controlEnabled
Only allow approved domains to use the TDC ActiveX controlEnable
PolicySettingComment
Allow scripting of Internet Explorer WebBrowser controlsEnabled
Internet Explorer web browser controlDisable
PolicySettingComment
Allow script-initiated windows without size or position constraintsEnabled
Allow script-initiated windows without size or position constraintsDisable
PolicySettingComment
Allow scriptletsEnabled
ScriptletsDisable
PolicySettingComment
Allow updates to status bar via scriptEnabled
Status bar updates via scriptDisable
PolicySettingComment
Allow VBScript to run in Internet ExplorerEnabled
Allow VBScript to run in Internet ExplorerDisable
PolicySettingComment
Automatic prompting for file downloadsEnabled
Automatic prompting for file downloadsDisable
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Download signed ActiveX controlsEnabled
Download signed ActiveX controlsDisable
PolicySettingComment
Download unsigned ActiveX controlsEnabled
Download unsigned ActiveX controlsDisable
PolicySettingComment
Enable dragging of content from different domains across windowsEnabled
Enable dragging of content from different domains across windowsDisable
PolicySettingComment
Enable dragging of content from different domains within a windowEnabled
Enable dragging of content from different domains within a windowDisable
PolicySettingComment
Include local path when user is uploading files to a serverEnabled
Include local directory path when uploading files to a serverDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
PolicySettingComment
Launching applications and files in an IFRAMEEnabled
Launching applications and files in an IFRAMEDisable
PolicySettingComment
Logon optionsEnabled
Logon optionsAnonymous logon
PolicySettingComment
Navigate windows and frames across different domainsEnabled
Navigate windows and frames across different domainsDisable
PolicySettingComment
Run .NET Framework-reliant components not signed with AuthenticodeEnabled
Run .NET Framework-reliant components not signed with AuthenticodeDisable
PolicySettingComment
Run .NET Framework-reliant components signed with AuthenticodeEnabled
Run .NET Framework-reliant components signed with AuthenticodeDisable
PolicySettingComment