Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
SECNET Client Policy v1.0
Data collected on: 5/20/2020 1:57:09 AM
General
Details
Domainsecnetwork.org
OwnerSECNET\Domain Admins
Created5/20/2020 1:07:52 AM
Modified5/20/2020 1:57:02 AM
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions2 (AD), 2 (SYSVOL)
Unique ID{D013651B-EAE9-4E88-A7A3-CBB3E99DD777}
GPO StatusEnabled
Links
LocationEnforcedLink StatusPath
ClientsNoEnabledsecnetwork.org/SECNET/Systems/Clients

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
SECNET\Domain AdminsEdit settings, delete, modify securityNo
SECNET\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Scripts
Startup
For this GPO, Script order: Not configured
NameParameters
update_lockscreen.bat
Security Settings
Local Policies/User Rights Assignment
PolicySetting
Access this computer from the networkBUILTIN\Administrators, BUILTIN\Users
Allow log on locallyBUILTIN\Users, BUILTIN\Administrators
Change the system timeBUILTIN\Users, BUILTIN\Administrators
Change the time zoneBUILTIN\Users, BUILTIN\Administrators
Deny log on as a batch jobS-1-5-21-784353420-3702341198-3415767222-519, S-1-5-21-784353420-3702341198-3415767222-512
Deny log on as a serviceS-1-5-21-784353420-3702341198-3415767222-519, S-1-5-21-784353420-3702341198-3415767222-512
Deny log on locallyBUILTIN\Guests
Deny log on through Terminal ServicesBUILTIN\Guests
Shut down the systemBUILTIN\Users, BUILTIN\Administrators
Local Policies/Security Options
Audit
PolicySetting
Audit: Shut down system immediately if unable to log security auditsDisabled
Shutdown
PolicySetting
Shutdown: Allow system to be shut down without having to log onEnabled
Other
PolicySetting
Accounts: Block Microsoft accountsThis policy is disabled
System Services
Wired AutoConfig (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
WlanSvc (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Wired Network (802.3) Policies
SECNET Wired Network Policy
NameSECNET Wired Network Policy
DescriptionSECNET Wired Network Policy
Global Settings
SettingValue
Use Windows wired LAN network services for clientsEnabled
Shared user credentials for network authenticationEnabled
Network Profile
Security Settings
Enable use of IEEE 802.1X authentication for network accessEnabled
Enforce use of IEEE 802.1X authentication for network accessDisabled
IEEE 802.1X Settings
Computer AuthenticationComputer only
Maximum Authentication Failures3
Maximum EAPOL-Start Messages Sent
Held Period (seconds)
Start Period (seconds)
Authentication Period (seconds)
Network Authentication Method Properties
Authentication methodProtected EAP (PEAP)
Validate server certificateEnabled
Connect to these servers
Do not prompt user to authorize new servers or trusted certification authoritiesDisabled
Enable fast reconnectEnabled
Disconnect if server does not present cryptobinding TLVDisabled
Enforce network access protectionDisabled
Authentication Method Configuration
Authentication methodSecured password (EAP-MSCHAP v2)
Automatically use my Windows logon name and password(and domain if any)Enabled
Public Key Policies/Trusted Root Certification Authorities
Certificates
Issued ToIssued ByExpiration DateIntended Purposes
DoD Root CA 3DoD Root CA 312/30/2029 1:46:41 PM<All>

For additional information about individual settings, launch the Local Group Policy Object Editor.
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Network/Windows Connection Manager
PolicySettingComment
Prohibit connection to non-domain networks when connected to domain authenticated networkEnabled
System/Audit Process Creation
PolicySettingComment
Include command line in process creation eventsEnabled
System/Credentials Delegation
PolicySettingComment
Encryption Oracle RemediationEnabled
Protection Level:Mitigated
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off Internet download for Web publishing and online ordering wizardsEnabled
System/Logon
PolicySettingComment
Always use classic logonEnabled
Assign a default credential providerEnabled
Assign the following credential provider as the default credential provider:{8FD7E19C-3BF7-489B-A72C-846AB3678C96}
Enter the CLSID of a credential provider to be the default credential provider. For example: {ba0dd1d5-9754-4ba3-973c-40dce7901283}
PolicySettingComment
Do not display network selection UIDisabled
Do not enumerate connected users on domain-joined computersEnabled
Enumerate local users on domain-joined computersDisabled
Show first sign-in animation Disabled
Turn off app notifications on the lock screenEnabled
Turn off picture password sign-inEnabled
Turn on convenience PIN sign-inDisabled
System/Mitigation Options
PolicySettingComment
Untrusted Font BlockingEnabled
Mitigation OptionsBlock untrusted fonts and log events
System/Power Management/Sleep Settings
PolicySettingComment
Allow standby states (S1-S3) when sleeping (plugged in)Disabled
Specify the system sleep timeout (plugged in)Enabled
System Sleep Timeout (seconds):0
System/Remote Procedure Call
PolicySettingComment
Enable RPC Endpoint Mapper Client AuthenticationEnabled
System/Removable Storage Access
PolicySettingComment
All Removable Storage classes: Deny all accessEnabled
All Removable Storage: Allow direct access in remote sessionsDisabled
CD and DVD: Deny execute accessEnabled
CD and DVD: Deny read accessEnabled
CD and DVD: Deny write accessEnabled
Floppy Drives: Deny execute accessEnabled
Floppy Drives: Deny read accessEnabled
Floppy Drives: Deny write accessEnabled
Removable Disks: Deny execute accessEnabled
Removable Disks: Deny read accessEnabled
Removable Disks: Deny write accessEnabled
Windows Components/Biometrics
PolicySettingComment
Allow domain users to log on using biometricsDisabled
Allow the use of biometricsDisabled
Allow users to log on using biometricsDisabled
Windows Components/Biometrics/Facial Features
PolicySettingComment
Configure enhanced anti-spoofingEnabled
Windows Components/BitLocker Drive Encryption
PolicySettingComment
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)Enabled
Require BitLocker backup to AD DSEnabled
If selected, cannot turn on BitLocker if backup fails (recommended default).
If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.
Select BitLocker recovery information to store:Recovery passwords and key packages
A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.
A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords
Key packages may help perform specialized recovery when the disk is damaged or corrupted.
Windows Components/BitLocker Drive Encryption/Operating System Drives
PolicySettingComment
Allow Secure Boot for integrity validationEnabled
Choose how BitLocker-protected operating system drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for operating system drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drivesEnabled
PolicySettingComment
Disallow standard users from changing the PIN or passwordEnabled
Enable use of BitLocker authentication requiring preboot keyboard input on slatesEnabled
Enforce drive encryption type on operating system drivesEnabled
Select the encryption type: 
PolicySettingComment
Require additional authentication at startupEnabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)Enabled
Settings for computers with a TPM:
Configure TPM startup:Allow TPM
Configure TPM startup PIN:Allow startup PIN with TPM
Configure TPM startup key:Allow startup key with TPM
Configure TPM startup key and PIN:Allow startup key and PIN with TPM
Windows Components/BitLocker Drive Encryption/Removable Data Drives
PolicySettingComment
Configure use of hardware-based encryption for removable data drivesEnabled
Use BitLocker software-based encryption when hardware encryption is not availableEnabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryptionDisabled
Restrict crypto algorithms or cipher suites to the following:2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42
PolicySettingComment
Control use of BitLocker on removable drivesEnabled
Allow users to apply BitLocker protection on removable data drivesEnabled
Allow users to suspend and decrypt BitLocker protection on removable data drivesDisabled
PolicySettingComment
Deny write access to removable drives not protected by BitLockerEnabled
Do not allow write access to devices configured in another organizationEnabled
PolicySettingComment
Enforce drive encryption type on removable data drivesEnabled
Select the encryption type: 
Windows Components/Cloud Content
PolicySettingComment
Do not show Windows tipsEnabled
Turn off Microsoft consumer experiencesEnabled
Windows Components/Credential User Interface
PolicySettingComment
Do not display the password reveal buttonEnabled
Windows Components/Data Collection and Preview Builds
PolicySettingComment
Allow TelemetryEnabled
0 - Security [Enterprise Only]
Windows Components/Edge UI
PolicySettingComment
Disable help tipsEnabled
Windows Components/Internet Explorer/Internet Control Panel/Security Page
PolicySettingComment
Site to Zone Assignment ListEnabled
Enter the zone assignments here. 
https://*.secnetwork.org1
https://sso.8x8.com2
https://portal.office.com2
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
PolicySettingComment
Logon optionsEnabled
Logon optionsAutomatic logon with current username and password
PolicySettingComment
Turn off first-run promptEnabled
First-Run Opt-InDisable
PolicySettingComment
Turn on Protected ModeEnabled
Protected ModeDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
PolicySettingComment
Logon optionsEnabled
Logon optionsAutomatic logon with current username and password
PolicySettingComment
Turn off first-run promptEnabled
First-Run Opt-InDisable
PolicySettingComment
Turn on Protected ModeEnabled
Protected ModeDisable
Windows Components/Search
PolicySettingComment
Allow CortanaDisabled
Allow Cortana above lock screenDisabled
Allow indexing of encrypted filesEnabled
Do not allow web searchEnabled
Windows Components/Smart Card
PolicySettingComment
Turn on Smart Card Plug and Play serviceEnabled
Windows Components/Sync your settings
PolicySettingComment
Do not syncEnabled
Allow users to turn syncing on.Disabled
Windows Components/Windows Defender Antivirus
PolicySettingComment
Turn off Windows Defender AntivirusDisabled
Windows Components/Windows Defender SmartScreen/Explorer
PolicySettingComment
Configure Windows Defender SmartScreenEnabled
Pick one of the following settings: 
Windows Components/Windows Error Reporting
PolicySettingComment
Disable Windows Error ReportingDisabled
Do not send additional dataEnabled
Do not throttle additional dataEnabled
Prevent display of the user interface for critical errorsEnabled
Windows Components/Windows Error Reporting/Advanced Error Reporting Settings
PolicySettingComment
Configure Report ArchiveEnabled
Archive behavior:Store all
Maximum number of reports to store:500
PolicySettingComment
Configure Report QueueEnabled
Queuing behavior:Always queue
Maximum number of reports to queue:50
Maximum size of the queue (MB):1024
Minimum free disk space (MB):2800
Number of days between solution check reminders:14
Windows Components/Windows Error Reporting/Consent
PolicySettingComment
Configure Default consentEnabled
Consent levelSend all data
PolicySettingComment
Ignore custom consent settingsEnabled
Windows Components/Windows PowerShell
PolicySettingComment
Turn on PowerShell Script Block LoggingEnabled
Log script block invocation start / stop events:Enabled
Extra Registry Settings
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

SettingState
SOFTWARE\Policies\Microsoft\Windows Mail\DisableCommunities1
SOFTWARE\Policies\Microsoft\Windows Mail\ManualLaunchAllowed0
Preferences
Windows Settings
Registry
Portal (Order: 1)
General
ActionCreate
Properties
HiveHKEY_LOCAL_MACHINE
Key pathSOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
Value namePortal
Value typeREG_SZ
Value datavpn.secnetwork.org
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Remove this item when it is no longer appliedNo
Apply once and do not reapplyNo
User Configuration (Enabled)
No settings defined.