Policy CSP - ADMX_CredUI

Artikel
13-02-2025

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

EnableSecureCredentialPrompting

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later

Device

./Device/Vendor/MSFT/Policy/Config/ADMX_CredUI/EnableSecureCredentialPrompting

This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user's Windows credentials.

Notitie

This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.

If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism.
If you disable or don't configure this policy setting, users will enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials.

Description framework properties:

Property name	Property value
Format	`chr` (string)
Access Type	Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name	Value
Name	EnableSecureCredentialPrompting
Friendly Name	Require trusted path for credential entry
Location	Computer Configuration
Path	Windows Components > Credential User Interface
Registry Key Name	Software\Microsoft\Windows\CurrentVersion\Policies\CredUI
Registry Value Name	EnableSecureCredentialPrompting
ADMX File Name	CredUI.admx

NoLocalPasswordResetQuestions

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later

Device

./Device/Vendor/MSFT/Policy/Config/ADMX_CredUI/NoLocalPasswordResetQuestions

If you turn this policy setting on, local users won't be able to set up and use security questions to reset their passwords.

Description framework properties:

Property name	Property value
Format	`chr` (string)
Access Type	Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name	Value
Name	NoLocalPasswordResetQuestions
Friendly Name	Prevent the use of security questions for local accounts
Location	Computer Configuration
Path	Windows Components > Credential User Interface
Registry Key Name	Software\Policies\Microsoft\Windows\System
Registry Value Name	NoLocalPasswordResetQuestions
ADMX File Name	CredUI.admx

Policy configuration service provider

Aanvullende resources

Documentatie

CSP criteri ADMX_Sharing

Altre informazioni sull'area ADMX_Sharing in Policy CSP.More about the ADMX_Sharing Area in Policy CSP.
Provider di servizi di configurazione criteri stampanti

Altre informazioni sull'area Stampanti in Policy CSP.
CSP criteri ADMX_DeviceGuard

Altre informazioni sull'area ADMX_DeviceGuard in Policy CSP.More about the ADMX_DeviceGuard Area in Policy CSP.
Provider di servizi di configurazione dei criteri DataUsage

Altre informazioni sull'area DataUsage in Policy CSP.More about the DataUsage Area in Policy CSP.
CSP criteri ADMX_SharedFolders

Altre informazioni sull'area ADMX_SharedFolders in Policy CSP.More about the ADMX_SharedFolders Area in Policy CSP.
CSP criteri ADMX_GroupPolicy

Altre informazioni sull'area ADMX_GroupPolicy in Policy CSP.More about the ADMX_GroupPolicy Area in Policy CSP.
CSP criteri ADMX_MSAPolicy

Altre informazioni sull'area ADMX_MSAPolicy in Policy CSP.More about the ADMX_MSAPolicy Area in Policy CSP.
CredentialsUI Policy CSP

Altre informazioni sull'area CredentialsUI in Policy CSP.More about the CredentialsUI Area in Policy CSP.

Training

Module

Proteggere gli account utente di Windows Server - Training

Questo modulo illustra come proteggere il proprio ambiente Active Directory proteggendo gli account utente con il principio dei privilegi minimi e inserendoli nel gruppo Utenti protetti. Spiega come limitare l'ambito di autenticazione e correggere gli account potenzialmente non sicuri.

Certificering

Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications

Illustrare i concetti fondamentali della protezione dei dati, della gestione del ciclo di vita, della protezione delle informazioni e della conformità per proteggere una distribuzione di Microsoft 365.

Delen via

Policy CSP - ADMX_CredUI

EnableSecureCredentialPrompting

NoLocalPasswordResetQuestions

Feedback

Aanvullende resources

Delen via

Policy CSP - ADMX_CredUI

EnableSecureCredentialPrompting

NoLocalPasswordResetQuestions

Related articles

Feedback

Aanvullende resources