The following security options are read for Windows machines. 


NOTE: Not all security options apply to all Windows versions.


  • Accounts: Administrator account status
  • Accounts: Block Microsoft accounts
  • Accounts: Guest account status
  • Accounts: Limit local account use of blank passwords to console logon only
  • Accounts: Rename administrator account
  • Accounts: Rename guest account
  • App Runtime: Allow Microsoft accounts to be optional
  • Audit Process Creation: Include command line in process creation events
  • Audit: Audit the access of global system objects
  • Audit: Audit the use of Backup and Restore privilege
  • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
  • Audit: Shut down system immediately if unable to log security audits
  • AutoPlay Policies: Disallow Autoplay for non-volume devices
  • AutoPlay Policies: Set the default behavior for AutoRun
  • AutoPlay Policies: Turn off Autoplay
  • Biometrics: Configure enhanced anti-spoofing
  • Cloud Content: Turn off Microsoft consumer experiences
  • Connect: Require pin for pairing
  • Credential User Interface: Do not display the password reveal button
  • Credential User Interface: Enumerate administrator accounts on elevation
  • Credentials Delegation: Encryption Oracle Remediation
  • Credentials Delegation: Remote host allows delegation of non-exportable credentials
  • Data Collection and Preview Builds: Allow Diagnostics Data
  • Data Collection and Preview Builds: Allow Telemetry
  • Data Collection and Preview Builds: Do not show feedback notifications
  • Data Collection and Preview Builds: Toggle user control over Insider builds
  • DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • Devices: Allow undock without having to log on
  • Devices: Allowed to format and eject removable media
  • Devices: Prevent users from installing printer drivers
  • Devices: Restrict CD-ROM access to locally logged-on user only
  • Devices: Restrict floppy access to locally logged-on user only
  • DNS Client: Turn off multicast name resolution
  • Domain controller: Allow server operators to schedule tasks
  • Domain controller: LDAP server signing requirements
  • Domain controller: Refuse machine account password changes
  • Domain member: Digitally encrypt or sign secure channel data (always)
  • Domain member: Digitally encrypt secure channel data (when possible)
  • Domain member: Digitally sign secure channel data (when possible)
  • Domain member: Disable machine account password changes
  • Domain member: Maximum machine account password age
  • Domain member: Require strong (Windows 2000 or later) session key
  • Early Launch Antimalware: Boot-Start Driver Initialization Policy
  • EMET: Default Action and Mitigation Settings: Anti Detours
  • EMET: Default Action and Mitigation Settings: Banned Functions
  • EMET: Default Action and Mitigation Settings: Deep Hooks
  • EMET: Default Action and Mitigation Settings: Exploit Action
  • EMET: System ASLR
  • EMET: System DEP
  • EMET: System SEHOP
  • Event Log: Application: Control Event Log behavior when the log file reaches its maximum size
  • Event Log: Application: Specify the maximum log file size (KB)
  • Event Log: Security: Control Event Log behavior when the log file reaches its maximum size
  • Event Log: Security: Specify the maximum log file size (KB)
  • Event Log: Setup: Control Event Log behavior when the log file reaches its maximum size
  • Event Log: Setup: Specify the maximum log file size (KB)
  • Event Log: System: Control Event Log behavior when the log file reaches its maximum size
  • Event Log: System: Specify the maximum log file size (KB)
  • File Explorer: Configure Windows SmartScreen
  • File Explorer: Enable Microsoft Defender SmartScreen
  • File Explorer: Microsoft Defender SmartScreen Level
  • File Explorer: Turn off Data Execution Prevention for Explorer
  • File Explorer: Turn off heap termination on corruption
  • File Explorer: Turn off shell protocol protected mode
  • Group Policy: Continue experiences on this device
  • Group Policy: Registry policy processing: Do not apply during periodic background processing
  • Group Policy: Registry policy processing: Process even if the Group Policy objects have not changed
  • Group Policy: Turn off background refresh of Group Policy
  • Interactive logon: Display user information when the session is locked
  • Interactive logon: Don't display last signed-in
  • Interactive logon: Do not require CTRL+ALT+DEL
  • Interactive logon: Machine account lockout threshold
  • Interactive logon: Machine inactivity limit
  • Interactive logon: Message text for users attempting to log on
  • Interactive logon: Message title for users attempting to log on
  • Interactive logon: Number of previous logons to cache (in case domain controller is not available)
  • Interactive logon: Prompt user to change password before expiration
  • Interactive logon: Require Domain Controller authentication to unlock workstation
  • Interactive logon: Require smart card
  • Interactive logon: Smart card removal behavior
  • Internet Communication settings: Turn off access to the Store
  • Internet Communication Settings: Turn off downloading of print drivers over HTTP
  • Internet Communication Settings: Turn off handwriting personalization data sharing
  • Internet Communication Settings: Turn off handwriting recognition error reporting
  • Internet Communication Settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
  • Internet Communication Settings: Turn off Internet download for Web publishing and online ordering wizards
  • Internet Communication Settings: Turn off printing over HTTP
  • Internet Communication Settings: Turn off Registration if URL connection is referring to Microsoft.com
  • Internet Communication Settings: Turn off Search Companion content file updates
  • Internet Communication Settings: Turn off the "Order Prints" picture task
  • Internet Communication Settings: Turn off the "Publish to Web" task for files and folders
  • Internet Communication Settings: Turn off the Windows Messenger Customer Experience Improvement Program
  • Internet Communication Settings: Turn off Windows Customer Experience Improvement Program
  • Internet Communication Settings: Turn off Windows Error Reporting
  • Internet Explorer: Disable Internet Explorer as a stand alone browser
  • Internet Explorer: Prevent downloading of enclosures
  • IPv6: Disabled Components
  • Lanman Workstation: Enable insecure guest logons
  • Locale Services: Disallow copying of user input methods to the system account for sign-in
  • Location and Sensors: Turn off location
  • Logon: Block user from showing account details on sign-in
  • Logon: Do not display network selection UI
  • Logon: Do not enumerate connected users on domain-joined computers
  • Logon: Enumerate local users on domain-joined computers
  • Logon: Turn off app notifications on the lock screen
  • Logon: Turn off picture password sign-in
  • Logon: Turn on convenience PIN sign-in
  • Microsoft Accounts: Block all consumer Microsoft account user authentication
  • Microsoft Defender Antivirus: Configure detection for potentially unwanted applications
  • Microsoft Defender Antivirus: Configure local setting override for reporting to Microsoft MAPS
  • Microsoft Defender Antivirus: Configure Watson events
  • Microsoft Defender Antivirus: Join Microsoft MAPS
  • Microsoft Defender Antivirus: Prevent users and apps from accessing dangerous websites
  • Microsoft Defender Antivirus: Scan removable drives
  • Microsoft Defender Antivirus: Turn off Microsoft Defender AntiVirus
  • Microsoft Defender Antivirus: Turn on behavior monitoring
  • Microsoft Defender Antivirus: Turn on e-mail scanning
  • Microsoft network client: Digitally sign communications (always)
  • Microsoft network client: Digitally sign communications (if server agrees)
  • Microsoft network client: Enable SMB version 1 protocol
  • Microsoft network client: Send unencrypted password to connect to third-party SMB servers
  • Microsoft network server: Amount of idle time required before suspending a session
  • Microsoft network server: Attempt S4U2Self to obtain claim information
  • Microsoft network server: Digitally sign communications (always)
  • Microsoft network server: Digitally sign communications (if client agrees)
  • Microsoft network server: Disconnect clients when logon hours expire
  • Microsoft network server: Enable SMB version 1 protocol
  • Microsoft network server: Enable SMB version 2 protocol
  • Microsoft network server: Server SPN target name validation level
  • Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
  • MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
  • MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
  • MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
  • MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
  • MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
  • MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
  • MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
  • MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
  • MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
  • MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted
  • MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted
  • MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
  • Network access: Allow anonymous SID/Name translation
  • Network access: Do not allow anonymous enumeration of SAM accounts
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares
  • Network access: Do not allow storage of passwords and credentials for network authentication
  • Network access: Let Everyone permissions apply to anonymous users
  • Network access: Named pipes that can be accessed anonymously
  • Network access: Remotely accessible registry paths
  • Network access: Remotely accessible registry paths and subpaths
  • Network access: Restrict anonymous access to Named Pipes and Shares
  • Network access: Restrict clients allowed to make remote calls to SAM
  • Network access: Shares that can be accessed anonymously
  • Network access: Sharing and security model for local accounts
  • Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network
  • Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network
  • Network Connections: Require domain users to elevate when setting a network's location
  • Network Provider: Hardened UNC Paths
  • Network security: Allow Local System to use computer identity for NTLM
  • Network security: Allow LocalSystem NULL session fallback
  • Network security: Allow PKU2U authentication requests to this computer to use online identities.
  • Network security: Configure encryption types allowed for Kerberos
  • Network security: Do not store LAN Manager hash value on next password change
  • Network security: Force logoff when logon hours expire
  • Network security: LAN Manager authentication level
  • Network security: LDAP client signing requirements
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
  • Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
  • Network security: Restrict NTLM: Add server exceptions in this domain
  • Network security: Restrict NTLM: Audit Incoming NTLM Traffic
  • Network security: Restrict NTLM: Audit NTLM authentication in this domain
  • Network security: Restrict NTLM: Incoming NTLM traffic
  • Network security: Restrict NTLM: NTLM authentication in this domain
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
  • Not Defined
  • OneDrive: Prevent the usage of OneDrive for file storage
  • Personalization: Prevent enabling lock screen camera
  • Personalization: Prevent enabling lock screen slide show
  • Recovery console: Allow automatic administrative logon
  • Recovery console: Allow floppy copy and access to all drives and all folders
  • Regional and Language Options: Allow users to enable online speech recognition services
  • Remote Assistance: Allow Offer Remote Assistance
  • Remote Assistance: Allow Solicited Remote Assistance
  • Remote Desktop Connection Client: Do not allow passwords to be saved
  • Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication
  • Remote Procedure Call: Restrict Unauthenticated RPC clients
  • Search: Allow Cloud Search
  • Search: Allow indexing of encrypted files
  • Secure Channel: Enable SSL 3.0 (Client)
  • Secure Channel: Enable SSL 3.0 (Server)
  • Secure Channel: Enable TLS 1.0 (Client)
  • Secure Channel: Enable TLS 1.0 (Server)
  • Secure Channel: Enable TLS 1.1 (Client)
  • Secure Channel: Enable TLS 1.1 (Server)
  • Secure Channel: Enable TLS 1.2 (Client)
  • Secure Channel: Enable TLS 1.2 (Server)
  • Security Providers: WDigest Authentication
  • Shutdown: Allow system to be shut down without having to log on
  • Shutdown: Clear virtual memory pagefile
  • Sleep Settings: Require a password when a computer wakes (on battery)
  • Sleep Settings: Require a password when a computer wakes (plugged in)
  • System Cryptography: Force strong key protection for user keys stored on the computer
  • System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
  • System objects: Require case insensitivity for non-Windows subsystems
  • System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
  • System settings: Optional subsystems
  • System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
  • TCP/IP: NetBT NodeType
  • Turn off Microsoft Peer-to-Peer Networking Services
  • Turn on Mapper I/O (LLTDIO) driver
  • Turn on Responder (RSPNDR) driver
  • User Account Control: Admin Approval Mode for the built-in Administrator account
  • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
  • User Account Control: Apply UAC restrictions to local accounts on network logons
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
  • User Account Control: Behavior of the elevation prompt for standard users
  • User Account Control: Detect application installations and prompt for elevation
  • User Account Control: Only elevate executables that are signed and validated
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations
  • User Account Control: Run all administrators in Admin approval mode
  • User Account Control: Switch to the secure desktop when prompting for elevation
  • User Account Control: Virtualize file and registry write failures to per-user locations
  • Windows Connect Now: Configuration of wireless settings using Windows Connect Now
  • Windows Connect Now: Prohibit access of the Windows Connect Now wizards
  • Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain
  • Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network
  • Windows Ink Workspace: Allow Windows Ink Workspace
  • Windows Installer: Allow user control over installs
  • Windows Installer: Always install with elevated privileges
  • Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts
  • Windows Logon Options: Sign-in and lock last interactive user automatically after a restart
  • Windows Performance PerfTrack: Enable/Disable PerfTrack
  • Windows PowerShell: Turn on PowerShell Script Block Logging
  • Windows PowerShell: Turn on PowerShell Transcription
  • Windows Security: App and browser protection: Prevent users from modifying settings
  • Windows Update: Defer feature updates
  • Windows Update: Manage preview builds
  • Windows Update: Manage preview builds (Branch Readiness Level)



The following settings are only read by the XIA Configuration Client when they are configured in a group policy object. If they are configured locally they are not displayed, though information about the Administrator and Guest account can also be viewed in the "Local User Accounts" section.


  • Accounts: Administrator account status
  • Accounts: Guest account status
  • Accounts: Rename administrator account
  • Accounts: Rename guest account
  • Network access: Allow anonymous SID/Name translation
  • Network security: Force logoff when logon hours expire