Configuration Manager Policies

34 min. readlast update: 03.12.2025

ThreatLocker Configuration Manager allows you to quickly design policies that help mitigate the most common threat vectors.  

This article includes information on what type of policies we offer and what it does when applied to your organization.

Note: This article only contains information about the new Configuration Manager policies. Legacy Configuration Manager policies will not be included in this article. 

Zero Day Security Policies

CVE-2013-3900 WinVerifyTrust Signature Validation

This Zero-Day policy handles a vulnerability in WinVerifyTrust Signature Validation by adding registry keys as recommended in Microsoft’s documentation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 

CVE-2023-36563: MS WordPad Vulnerability

This Zero-Day policy addresses the Microsoft WordPad information disclosure vulnerability, which can be exploited through the handling of objects in memory by WordPad which allows attackers to access sensitive information. 

CVE-2023-36884: Windows Search Remote Code Execution Vulnerability

This Zero-Day policy prevents Microsoft Office from creating child processes through remote code execution vulnerabilities in Windows search files via maliciously crafted Office Open XML (OOXML) documents. 

CVE-2023-44487: HTTP/2 Rapid Reset Attack

This Zero-Day policy addresses the Rapid Reset technique, which leverages the stream multiplexing feature of the HTTP/2 protocol and prevents denial of service from quickly resetting multiple streams which consumes server resources. 

AD Hardening Policies

CVE-2021-34527 Windows Print Spooler Vulnerability (Print Nightmare)

This Zero-Day policy disables the Print Spooler Service to mitigate the risk of exploitation from improper privileged file operations by the Windows Print Spooler, which allows an attacker to execute arbitrary code with SYSTEM privileges. Consequently, an attacker could install programs, view, modify, or delete data, and create new accounts with full user rights. 

System Audit Policies - Local GPO

Audit File System

This policy setting enables auditing of user attempts to access file system objects. A security audit event is generated only for objects with specified system access control lists (SACLs) and only if the requested access type (such as Write, Read, or Modify) and the requesting account match the SACL settings. With this configuration, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits will log successful access attempts, while Failure audits will log unsuccessful attempts. The volume of audit events depends on the configuration of file system SACLs. You can set a SACL on a file system object via the Security tab in the object's Properties dialog box.

For more information about enabling object access auditing, please refer to this guide: https://go.microsoft.com/fwlink/?LinkId=122083

Windows Defender Management

Configure Defender SmartScreen 

This policy provides control over the activation of Microsoft Defender SmartScreen. SmartScreen enhances PC security by alerting users before executing potentially harmful programs downloaded from the Internet. It displays an interstitial dialog as a precautionary measure before running an app downloaded from the Internet that is either unrecognized or known to be malicious. No dialog is presented for apps deemed non-suspicious. Some data about files and programs executed on PCs with this feature enabled is shared with Microsoft. 

Enabling this policy activates SmartScreen for all users. Its behavior can be further adjusted with the following options:  

  • Warn and prevent bypass: Enabling this option ensures that SmartScreen dialogs will not offer users the option to disregard the warning and run the app. Subsequent attempts to run the app will continue to display the warning.  
  • Warn: Enabling this option prompts SmartScreen dialogs to warn users about potentially suspicious apps but allows users to bypass the warning and run the app regardless. SmartScreen will not reissue the warning for that app if the user instructs SmartScreen to proceed with running it. 

Disabling this policy turns off SmartScreen for all users, eliminating warnings for suspicious apps downloaded from the Internet. 

If left unconfigured, SmartScreen is enabled by default, although users can adjust their settings accordingly. 

Configure Defender Virus & Protection Settings 

This policy manages Microsoft Defender Virus & Threat Protection settings, encompassing real-time protection, cloud-delivered protection, automatic sample submission, tamper protection, and exclusions. Below are detailed descriptions of each option: 

  • Real-time protection: Prevents malware from installing or running on your device. When enabled, Windows Defender is enabled and monitored by the ThreatLocker agent. This setting can be turned off for a short time before Windows automatically turns it back on. 
  • Cloud-delivered protection: Provides increased & faster protection with access to the latest protection data in the cloud. This works best with Automatic Sample Submission turned on.  
  • Automatic Sample Submission: Automatically submits suspicious files and samples to Microsoft for analysis, enhancing threat detection capabilities. Users will receive notifications regarding files that may contain personal information. They will be given the option to skip sending this information to Microsoft.  
  • Tamper protection: Prevent malicious apps from changing important Microsoft Defender Antivirus settings, including real-time protection and cloud-delivered protection.  
  • Exclusions: Microsoft Defender Antivirus will not scan items that have been excluded. Excluded items could contain threats that make your device vulnerable.  

Enabling the policy will set and monitor the specified options. Disabling the policy maintains the current state of options without monitoring. Setting the policy to Not Configured will enable the options (Windows default behavior) without monitoring them.

Turn off Defender Antivirus 

This policy setting turns off Microsoft Defender Antivirus.  

If you set this policy to Enable Policy, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. 

If you set this policy to Disable Policy, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. 

Windows Service Management

Delivery Optimization Service 

WARNING: The use of this policy may block updates from Windows. 

Note: Delivery Optimization Service is only supported on Windows 10, Windows Server 2016 or greater. 

The Delivery Optimization Configuration enables peer-to-peer distribution of updates, which can help reduce bandwidth usage when downloading Windows updates and other content from Microsoft. To ensure this policy functions correctly the "Download Mode" Local Group Policy located at "Computer Configuration/Administrative Templates/Windows Components/Delivery Optimization" needs to be set to "Not Configured" 

Policy Enabled: Select from one of the options in the Download Mode dropdown. The value selected from the download will be used on all local machines that this policy is assigned to. 

Policy Disabled: The last "Download Mode" set will remain on the local machine and this value will not be monitored. 

Policy Not Configured: The policy will remove the "Download Mode" value and not monitor for any changes. 

Local Built-In Account Management

Administrator account status 

This security setting determines whether the local Administrator account is enabled or disabled. In this case, another member of the Administrators group must reset the password on the Administrator account.  

If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. Another member of the Administrator group will need to reset the password of the reenabled Administrator account.  

Disabling the Administrator account can become a maintenance issue under certain circumstances. When a computer is booted using Safe Mode, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active Administrator accounts. If the computer is domain joined, the disabled Administrator account will not be enabled. 

Block Microsoft accounts

There are two options if this setting is enabled:

  • Users can’t add Microsoft accounts permits existing connected accounts to continue to sign into the device (and appear on the Sign in screen) using the linked Microsoft account. It will prevent users from using the Settings app to add new connected accounts (or connect local accounts to Microsoft accounts). 
  • Users can’t add or log on with Microsoft accounts prevents users from adding new connected accounts (or connect local accounts to Microsoft accounts) or using existing connected accounts through Settings. 

This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as Mail, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services). 

Disable Guest Account

Setting the configuration status to Enable Policy will disable the Guest Account on the local machines the policy is applied to. Setting the configuration status to Disable Policy or Not Configured will result in the ThreatLocker Agent not monitoring or enforcing the Guest Account to be disabled. 

Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. 

Hide administrator account from logon screen 

This security setting will hide the Administrator account from the login screen. This conceals the primary administrative user account from the initial user selection screen when starting the computer. By implementing this practice, organizations can reduce the visibility of privileged accounts, such as the Administrator, during the logon process, to minimize exposure. 

When this policy is disabled or deleted, the administrator account will again be visible on the logon screen as this is the default Windows behavior. 

Rename administrator account 

This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. 

Note: The Administrator account must be active in order to rename it. 

Set administrator account password 

This security setting allows for the updating/setting of the local administrator password. The Administrator account holds elevated privileges and is crucial for managing various aspects of the system. By setting or updating the password, you ensure that this account remains secure and that only authorized individuals can access and perform administrative tasks on the computer. It is an essential step in maintaining the overall security and integrity of the system, helping to protect sensitive information and prevent unauthorized access. 

Note: The Administrator account must be enabled/active for the password to be set/updated. This policy will not impact Windows Domain Controller Servers. 

ThreatLocker administrator password system 

The ThreatLocker Local Administrator Password System (TLAPS) is a security tool which can be leveraged to regularly change and update the password of the administrator account on each computer that this policy is assigned to. 

The options allow you to set the length of the password from 8 to 20 characters. A different randomly generated password of the specified length will be created and set for the administrator accounts of each computer the policy applies to. 

The password life can be set from 5 to 90 days. On computers assigned this policy, passwords will automatically be changed at the end of the password life, creating a new, random, unique password with the specified character length. 

Local User Account Management

Enforce user access control settings 

WARNING: Use of this policy in conjunction with Elevation Control may cause excessive pending reboot popup messages on the target machines 

When this security setting is enabled, it helps prevent harmful programs from making changes to your computer. 

The following options are available for you on the dropdown for "UAC will notify when":

Always notify: 

  • Notify you when programs try to install software or make changes to your computer. 
  • Notify you when you make changes to Windows settings.
  • Freeze other tasks until you respond.
  • Note: This option is recommended if you routinely install new software or visit unfamiliar websites. 

Notify me when apps try to make changes to my computer:

  • Notify you when programs try to install software or make changes to your computer.
  • Not notify you when you make changes to Windows settings.
  • Freeze other tasks until you respond.
  • Note: This option is recommended if you routinely install new software or visit unfamiliar websites, but you don't want to be notified when you make changes to Windows settings. 

Notify me when apps try to make changes to my computer (do not dim my desktop):

  • Notify you when programs try to install software or make changes to your computer.
  • Not notify you when you make changes to Windows settings. 
  • Not freeze other tasks or wait for a response. 
  • Note: This option is only recommended if it takes a long time to dim the desktop on your computer. Otherwise, it's recommended to choose one of the above options. 

Never notify (Disable UAC) will:

  • Not notify you when programs try to install software or make changes to your computer.
  • Not notify you when you make changes to Windows settings.
  • Not freeze other tasks or wait for a response.
  • Note: This option isn't recommended due to security concerns. 
Minimum password length

This security setting determines the least number of characters that a password for a user account may contain. 

The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. 

Setting the required number of characters to 0 removes the requirement to set a password. 

Note: By default, member computers follow the configuration of their domain controllers. 

Minimum/Maximum password age

This security setting determines the maximum/minimum period (in days) that a password must be used before the user can change it. 

Values can be set between 1 and 998 days or set the value to 0 to allow changes immediately. The minimum password age must be less than the Maximum password age unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to network resources. 

Password must meet complexity requirements 

This security setting determines whether passwords must meet complexity requirements. 

If this policy is enabled, passwords must meet the following minimum requirements: 

  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters 
  • Be at least six characters in length
  • Contain characters from three of the following four categories 
    • English uppercase characters (A through Z) 
    • English lowercase characters (a through z) 
    • Base 10 digits (0 through 9) 
    • Non-alphabetic characters (for example, !, $, #, %) 

Complexity requirements are enforced when passwords are changed or created. 

Set password protected screen saver 

This security setting enables or disables the screen saver, with or without a password. Enabling the Set Password Screen Saver Policy will add/create the settings in the Policy Details section. This will invoke the Threatlocker Agent to monitor these settings and reset them, if they are changed. 

Disabling the Set Password Screen Saver Policy will leave the policy settings in the state they were in before the policy was disabled. Monitoring in the agent will not be performed. 

Setting Policy Not Configured will remove the screen saving registry settings and stop monitoring of the items in the Policy. 

The screen saver section of the Screen Saver dialog in the Personalization or Display Control Panel is enabled or disabled depending on the state of the Screen Saver Active switch control. 

If the Screen Saver is Secure item is turned on, the user must log back into the computer once the screen saver is activated. The idle time (in minutes) can be set to determine when activating the screen saver and locking the endpoint should occur. 

Turn off Windows Default Printer Management 

The "Turn off Windows default printer management" setting allows you to control whether Windows automatically changes your default printer based on the last one you used. 

When this policy is Enabled: Windows will not manage or change the default printer automatically. You get to pick and keep a printer as your default, and it will not switch even if you use other printers. 

When this policy is Disabled: Windows will manage your default printer for you, setting the most recently used printer as your default each time you print to a different one. 

When this policy is set to Not Configured: Windows automatically manages the default printer by setting the most recently used printer as the default. So, if you print to a different printer, Windows will set that one as the new default. It should be noted this is default behavior. 

Note: When deleting this policy, it is recommended that the policy is set to "Not Configured" and policies are deployed before Registry Value(s) 

OS Security

Clear virtual memory pagefile on reboot 

This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. 

Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when the system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security options, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. 

Configure universal plug and play (UPnP)

This security setting allows you to control how devices on your network communicate with each other using Universal Plug and Play (UPnP). 

When enabled, UPnP makes it easier for devices like game consoles, printers, and smart home devices to find and connect to each other without manual setup. It can help devices share resources like files and media, permitting them to work together seamlessly. 

Disabling this policy on devices could cause the devices to have limited or no ability to discover and communicate with each other automatically, which could require manual configuration for some networked features. 

Remote Desktop Services (RDS) - Allow users to connect remotely 

This policy setting allows you to configure remote access to computers by using Remote Desktop Services. 

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. 

If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. 

If you set this policy to not configured, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. 

Note:  

  • On Windows Client versions (e.g., Windows 10, Windows 11): The default behavior is to deny Remote Desktop Connections. 
  • On Windows Server versions (e.g., Windows Server 2019, 2022): The default behavior is to allow Remote Desktop connections. 
Reset Print Spooler ImagePath 

This Configuration Manager policy is used to update the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler ImagePath Value. Delete this policy to disable or remove it. 

Set Windows Desktop/Logon Screen Image 

This setting lets you specify the desktop and/or logon screen image on users' desktops and prevents users from changing the image or its presentation. 

To use this setting, type the fully qualified URL path in the Desktop Image Location and/or the fully qualified URL path in the Logon Screen Image Path. 

Enable Set Windows Desktop/Logon Screen Image Policy: Will use the URL Path that is set for desktop and/or logon screen below and set it as the background image. This will also monitor that the background is not changed. 

Disable Set Windows Desktop/Logon Screen Image Policy: Will leave the current set desktop and/or logon screen background, along with the wallpaper style and will not monitor for an image change. 

Set Policy Not Configured: Will leave the current wallpaper background image and wallpaper style. The logon screen background will be reverted to the previous image and monitoring for an image change will not occur. 

Set Windows logon message 

This security setting also allows the specification of a title to appear in the title bar of the window that contains the interactive logon message displayed to users attempting to log on. 

This text is often used for legal reasons, for example, to warn users about the ramifications of miscuing company information or to warn them that their actions may be audited. 

Turn off autoplay (AutoRun) 

Autoplay begins reading from a drive as soon as you insert media into the drive. As a result, executable files on the media start immediately. 

Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including zip drives and some USB mass storage devices. 

If you enabled this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You can't use this setting to enable Autoplay on drives on which it is disabled by default. 

If you disable or do not configure this policy setting, AutoPlay is enabled. 

Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. 

Windows keylogger control 

This data can include text entered in documents, passwords, and other sensitive information, which may be used for diagnostic purposes or to improve user experience. 

When Windows Keylogger is disabled, Windows is prevented from recording and logging keystrokes. This ensures that your keyboard inputs, including personal and sensitive data, are not captured or stored by the operating system. Disabling the keylogger enhances privacy and security by limiting the collection of user data.

Data I/O Security

Schedule Secure Free Space Delete 

When this configuration is set, depending on the policies location, computers will run Secure Free-Space delete. 

Application Security

Configure downloaded office macros 

Setting this security setting to Enabled, helps to mitigate the risk of attacks by proactively blocking the execution of such macros, thereby enhancing the security posture of the organization's computing environment. 

When set to Disabled, Microsoft Office application may allow macros downloaded from the internet or other untrusted sources to run without restriction. This means that if a user opens a document containing macros from such sources, the Office application will execute the macros as intended, without any warning or restriction. While macros can be useful for automating tasks, they can also be leveraged by malicious actors to deliver harmful payloads or execute malicious code on the user's computer. 

When set to Not Configured the policy will revert the registry values to the default value. In this case it will revert the VBAWarnings value to 2. 

Without this policy active, users may unknowingly expose their systems to security risks by running macros from untrusted sources. 

Configure OLE in Microsoft Office documents 

This security setting, when enabled, prevents Microsoft Office applications from embedding and executing Object Linking and Embedding (OLE) objects within documents, which helps reduce the risk of malware infection and unauthorized code execution. 

When Disabled or Not Configured, Microsoft Office applications may be able to use OLE to share data and functionality, potentially impacting the organization's security posture. While OLE can be used for integrating content, it also poses security risks as embedded objects may contain malicious code or links that could harm your computer. 

Configure powershell constrained language mode 

This security setting allows you to control the level of access and functionality available to PowerShell scripts, enhancing the security of your system. 

Enabling this policy will activate Constrained Language Mode, which restricts the use of certain PowerShell language elements and features in scripts. By limiting the capabilities of PowerShell scripts, Constrained Language Mode helps to mitigate potential security risks associated with malicious or unauthorized scripts, aligning with security best practices and compliance requirements. This setting helps prevent exploitation by malicious actors who might attempt to use advanced PowerShell features for unauthorized actions, such as code injection or privilege escalation. 

Disabling or Not Configuring this policy allows PowerShell scripts to run with full access to all language elements and features without any restrictions imposed by Constrained Language Mode. It also provides users with the flexibility to utilize the full capabilities of PowerShell scripting, including advanced features and functionality. 

Configure VBA Macro execution for Microsoft Office applications 

The "Configure VBA Macro execution for Microsoft Office applications" Group Policy is a setting that lets IT administrators turn off the use of VBA (Visual Basic for Applications) in Microsoft Office apps like Word, Excel, and PowerPoint. VBA is a programming tool that allows users to create macros, which can automate tasks or perform certain actions in these apps. 

When this policy is Enabled, VBA is completely disabled, meaning users won't be able to run or create macros in Office applications. This is often done to enhance security, as macros can sometimes be used to run harmful code in documents. 

When this policy is Disabled or Not Configured, it means that VBA (Visual Basic for Applications) will remain enabled in Microsoft Office apps like Word, Excel, and PowerPoint. Users will have full access to VBA and can use or create macros as needed, which is helpful for automating tasks but might pose a security risk if macros from untrusted sources are used.

Configure web browser developer tools access 

Turning on this security policy will enhance website security and protect sensitive information by implementing measures to prevent unauthorized access to browser developer tools. 

This proactive approach helps mitigate risks associated with unauthorized debugging or modification, ensuring a safer and more secure browsing experience for both users and administrators. 

Require user authentication for remote connections (NLA) 

Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. 

This policy allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. It enhances security by requiring that user authentication occur earlier in the remote connection process. 

Enable Policy: Only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication, start Remove Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. 

Disable Policy: Network Level Authentication will be set to not required for user authentication before allowing remote connections to the RD Session Host server and not monitor any local changes to the computer. 

Not Configured: Computer will remain in its current state and will not be monitored for any policy changes on the local computer. 

Note: On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. 

Turn off multicast name resolution (mDNS) (LLMNR)

Link Local Multicast Name Resolution (LMMR) is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration and also provides name resolution in scenarios in which conventional DNS name resolution is not possible. 

Enable Policy: LLMNR will be disabled on all available network adapters on the client computer, and be monitored for changes. 

Disable Policy: Configuration will remain in its current state and will not be monitored for changes to the local computer. 

Not Configured: LLMNR will be enabled on all available network adapters and will not be monitored for changes to the local computer. 

Network Protocol Security

Allow local system to use computer identity for NTLM (NetBios) 

This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. 

Enabled: Services running as Local System that use Negotiate will use the computer identity. This may cause some authentication requests between Windows operating systems to fail and log an error. The configuration will be monitored on the local computer. 

Disabled: Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. The configuration will not be monitored on the local computer. 

Not Configured: Reverts the policy to the default settings outlined below, and the configuration will not be monitored on the local computer. 

Default: Windows 7 and above - policy is enabled, Windows Vista - policy is disabled 

Note: This policy is supported on Windows Vista and Windows Server 2008 or above, but Windows Vista and Windows Server 2008 do not expose this setting in Group Policy. 

Configure internet group management protocol (IGMP) 

Internet Group Management Protocol (IGMP) is a use in IPv4 networks to manage multicast group memberships. Multicasting is a way to efficiently send data to multiple recipients simultaneously. 

Enabled: Disables IGMP on the computer or network device and monitors for changes. 

Disabled: Configurations are left in their current state and are not monitored for changes. 

Not Configured: Enables IGMP on the computer or network device and are not monitored for changes. 

Configure IPv6 

When enabled, this policy will turn off (disable) all IPv6 communications over the internet for the selected machines. 

Configure LAN manager authentication level (LM NTLM) 

This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: 

  • Send LM & NTLM Responses: Clients use LM and NTLM authentication and never uses NTLMv2 session security. Domain Controllers accept LM, NTLM, and NTLMv2 authentication. 
  • Send LM & NTLM - Use NTLMv2 Session Security if Negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLM, and NTLMv2 authentication. 
  • Send NTLM Response Only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLM, and MTLMv2 authentication. 
  • Send NTLMv2 Response Only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLM, and NTLMv2 authentication. 
  • Send NTLMv2 Response Only\Refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain Controllers refuse LM, and only accept NTLM, and NTLMv2 authentication. 
  • Send NTLMv2 Response Only\Refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain Controllers refuse LM and NTLM, and only accept NTLMv2 authentication. 

Important: This setting can affect the ability of computers running Windows Server 2000, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. 

Default: Windows 2000 and Windows XP - Send LM & NTLM responses Windows Server 2003 - Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 - Send NTLMv2 response only 

Configure SMB v1 

When enabled, this policy will disable Server Message Block (SMB) version 1 on the selected machines. 

Configure TLS (transport layer security) protocols 

Transport Layer Security (TLS) protocols are cryptographic protocols that secure communication over a computer network. They ensure the privacy, integrity, and authenticity of data exchanged between applications such as web browsers and servers, email clients and servers, and other network-connected systems. 

Enable Transport Layer Security (TLS) protocols Policy: Enables the TLS Protocols that are toggled on below. 

Disable Transport Layer Security (TLS) protocols Policy: TLS protocols are left in their current state and are not monitored for changes. 

Not Configured: TLS protocols will return to their default settings and are not monitored for changes. 

Disable Local LM Hash Storage 

When this configuration is set, depending on the policies location, it will disable local LM hash storage. 

Do not allow anonymous enumeration of SAM accounts 

This security setting determines what additional permissions will be granted for anonymous connections to the computer. 

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. 

Do not allow anonymous enumeration of SAM accounts and shares 

WARNING: Modifying this setting may affect compatibility with clients, services, and applications. 

This security setting determines whether anonymous enumeration of SAM accounts and shares is permitted. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, enable this policy. 

Restrict NTLM: Audit Incoming NTLM Traffic 

This policy setting allows you to audit incoming NTLM traffic. 

Enable Audit incoming NTLM traffic policy will allow users to select from one of the options below and will set the machine to follow the selected option. The Threatlocker Agent will monitor and enforce the selected option. 

Disable Audit incoming NTLM traffic policy will keep the current selected option and the Threatlocker Agent will not monitor and enforce the selected option. 

Set policy to Not Configured will remove the AuditIncomingNTLMTraffic registry value (windows default action). The Threatlocker Agent will no longer be monitored. 

NTLM Traffic Explained

  • Disable: The server will not log events for incoming NTLM traffic. 
  • Enable Auditing for Domain Accounts: The server will log events for NTLM pass-through authentication requests that would be blocked when the NTLM traffic option is set to "Deny all domain accounts". 
  • Enable Auditing for All Accounts: The server will log events for all NTLM authentication requests that would be blocked when the NTLM traffic option is set to "Deny all accounts". 

This policy is supported on at least Windows 7 or Windows Server 2008 R2. 

Note: Audit events are recorded on the computer in the Operational log located under the Applications and Services Log/Microsoft/Windows/NTLM 

Restrict NTLM: Audit NTLM Authentication in this domain 

This policy setting allows you to audit NTLM authentication in a domain from this domain controller. 

Enable Audit NTLM authentication in this domain policy enables the user to select an Authentication Setting that will apply to the machines in the selected "Applies To". The Threatlocker Agent will monitor the set value. 

Disable Audit NTLM authentication in this domain policy the current value will remain and the Threatlocker Agent will not monitor the set value. 

Set Policy to Not Configured the AuditNTLMInDomain registry value will be removed (windows default action). The Threatlocker Agent will no longer monitor the set value. 

Authentication Settings Explained 

  • If you select "Disable" or do not configure this policy setting, the domain controller will not log events for NTLM authentication in this domain. 
  • If you select "Enable for domain accounts to domain servers," the domain controller will log events for NTLM authentication logon attempts for domain accounts to domain servers when NTLM authentication would be denied because "Deny for domain accounts to domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. 
  • If you select "Enable for domain accounts," the domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because "Deny for domain accounts" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. 
  • If you select "Enable for domain servers" the domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because "Deny for domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. 
  • If you select "Enable all" the domain controller will log events for NTLM pass-through authentication requests from its servers and for its accounts which would be denied because "Deny all" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. 

This policy is supported on at least Windows Server 2008 R2. 

Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. 

Restrict NTLM: Incoming NTLM Traffic 

This policy setting allows you to deny or allow incoming NTLM traffic. 

Enable incoming NTLM traffic policy enables the user to select an Incoming NTLM Traffic Setting that will apply to the machines in the selected "Applies To". The Threatlocker Agent will monitor the set value. 

Disable incoming NTLM traffic policy the current value will remain and the Threatlocker Agent will not monitor the set value. 

Set policy to Not Configured the RestrictReceivingNTLMTraffic registry value will be removed (windows default action). The Threatlocker Agent will no longer monitor the set value. 

Incoming NTLM Traffic Settings Explained 

  • If you select "Allow all incoming traffic"" or do not configure this policy setting, the server will allow all NTLM authentication requests. 
  • If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. 
  • If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. 

This policy is supported on at least Windows 7 or Windows Server 2008 R2. 

Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. 

Restrict NTLM: Outgoing NTLM Traffic to Remote Servers 

This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. 

Enable outgoing NTLM traffic to remote servers Policy enables the user to select an Outgoing NTLM traffic Setting that will apply to the machines in the selected "Applies To". The Threatlocker Agent will monitor the set value. 

Disable outgoing NTLM traffic to remote servers Policy the current value will remain and the Threatlocker Agent will not monitor the set value. 

Set policy to Not Configured the RestrictSendingNTLMTraffic registry value will be removed (windows default action). The Threatlocker Agent will no longer monitor the set value. 

Outgoing NTLM traffic to remote servers Settings Explained 

  • If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. 
  • If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. 
  • If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. 

This policy is supported on at least Windows 7 or Windows Server 2008 R2. 

Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. 

Security Logging and Monitoring

Configure memory dump file & recovery options 

Turning this security policy on will optimize your system's performance and enhance troubleshoot capabilities by setting up memory dump files and recover options. 

By configuring these settings, you ensure that your computer efficiently manages memory crashes or system failures, minimizing downtime and data loss. This proactive approach allows you to quickly diagnose and address issues, improving overall system reliability and user experience. With tailored recovery options in place, you can swift recover from unexpected errors and resume normal operations, keeping productivity levels high. 

Note: The options below are identical to the options in the Startup & Recover > System Failure section on the local PC. 

Enhance security logging

When Enabled, this policy will write enhanced security event logging to the local Windows Event Log. 

Note: The specific events that are logged can vary depending on the version of Windows and the configuration of the system, but generally, enabling enhanced security logging can result in more detailed logging of security-related activities. 

Was this article helpful?