Настройка параметров политики безопасности Configure security policy settings

Область применения Applies to

Описание действий по настройке параметра политики безопасности на локальном устройстве, на устройстве, которое присоединилось к домену, и на контроллере домена. Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.

Для выполнения этих процедур необходимы права администраторов на локальном устройстве или соответствующие разрешения на обновление объекта групповой политики (GPO) на контроллере домена. You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.

Если локальный параметр недоступен, это означает, что в настоящее время этот параметр контролируется GPO. When a local setting is inaccessible, it indicates that a GPO currently controls that setting.

Настройка параметра с помощью консоли «Локализованная политика безопасности» To configure a setting using the Local Security Policy console

Чтобы открыть локализованную политику безопасности, на экране «Начните» введите secpol.mscи нажмите ввод. To open Local Security Policy, on the Start screen, type secpol.msc, and then press ENTER.

В области «Параметры безопасности» дерева консоли сделайте одно из следующих параметров: Under Security Settings of the console tree, do one of the following:

• Щелкните «Политики учетных записей», чтобы изменить политику паролей или политику блокировки учетных записей. Click Account Policies to edit the Password Policy or Account Lockout Policy.
• Щелкните «Локальные политики», чтобы изменить политику аудита, назначение правпользователя или параметры безопасности. Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.

При нажатии параметра политики в области сведений дважды щелкните политику безопасности, которую необходимо изменить. When you find the policy setting in the details pane, double-click the security policy that you want to modify.

Измените параметр политики безопасности и нажмите кнопку «ОК». Modify the security policy setting, and then click OK.

• Некоторые параметры политики безопасности требуют перезапуска устройства до того, как параметр вступает в силу. Some security policy settings require that the device be restarted before the setting takes effect.
• Изменения прав пользователя вступают в силу при его следующем входе в учетную запись. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Настройка параметра политики безопасности с помощью консоли редактора локальных групповых политик To configure a security policy setting using the Local Group Policy Editor console

Для выполнения этих процедур необходимы соответствующие разрешения для установки и использования консоли управления (MMC) и обновления объекта групповой политики (GPO) на контроллере домена. You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.

Откройте редактор локальных групповых политик (gpedit.msc). Open the Local Group Policy Editor (gpedit.msc).

В дереве консоли щелкните «Конфигурация компьютера», «Параметры Windows» и выберите «Параметры безопасности». In the console tree, click Computer Configuration, click Windows Settings, and then click Security Settings.

Выполните одно из следующих действий. Do one of the following:

• Щелкните «Политики учетных записей», чтобы изменить политику паролей или политику блокировки учетных записей. Click Account Policies to edit the Password Policy or Account Lockout Policy.
• Щелкните «Локальные политики», чтобы изменить политику аудита, назначение правпользователя или параметры безопасности. Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.

В области сведений дважды щелкните параметр политики безопасности, который необходимо изменить. In the details pane, double-click the security policy setting that you want to modify.

Если эта политика безопасности еще не определена, выберите этот параметр. If this security policy has not yet been defined, select the Define these policy settings check box.

Измените параметр политики безопасности и нажмите кнопку «ОК». Modify the security policy setting, and then click OK.

Если вы хотите настроить параметры безопасности для многих устройств в сети, можно использовать консоль управления групповыми политиками. If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.

Настройка параметра для контроллера домена To configure a setting for a domain controller

В следующей процедуре описывается настройка параметра политики безопасности только для контроллера домена (из контроллера домена). The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).

Чтобы открыть политику безопасности контроллера домена, в дереве консоли найдите политику GroupPolicyObject [Имя компьютера], выберите «Конфигурация компьютера»,«Параметры Windows» и «Параметры безопасности». **** To open the domain controller security policy, in the console tree, locate GroupPolicyObject [ComputerName] Policy, click Computer Configuration, click Windows Settings, and then click Security Settings.

Выполните одно из следующих действий. Do one of the following:

• Дважды щелкните «Политики учетных записей», **** чтобы изменить политику паролей, **** политику блокировки учетных записей или политику Kerberos. Double-click Account Policies to edit the Password Policy, Account Lockout Policy, or Kerberos Policy.
• Щелкните «Локальные политики», чтобы изменить политику аудита, назначение правпользователя или параметры безопасности. Click Local Policies to edit the Audit Policy, a User Rights Assignment, or Security Options.

В области сведений дважды щелкните политику безопасности, которую необходимо изменить. In the details pane, double-click the security policy that you want to modify.

Если эта политика безопасности еще не определена, выберите этот параметр. If this security policy has not yet been defined, select the Define these policy settings check box.

Измените параметр политики безопасности и нажмите кнопку «ОК». Modify the security policy setting, and then click OK.

• Всегда проверяйте созданную политику в тестовом подразделении, прежде чем применять ее к сети. Always test a newly created policy in a test organizational unit before you apply it to your network.
• При изменении параметра безопасности с **** помощью GPO и нажатии кнопки «ОК» этот параметр вступает в силу при следующем обновлении параметров. When you change a security setting through a GPO and click OK, that setting will take effect the next time you refresh the settings.

Group policy settings for Desktop Analytics

Applies to: Configuration Manager (current branch)

This article details the local and group policy settings in Windows that Configuration Manager and Desktop Analytics use.

When Configuration Manager enrolls devices into Desktop Analytics, it sets Windows policies to configure the device. In most circumstances, only use Configuration Manager to configure these settings.

Windows settings

Configuration Manager sets Windows policies in one or both of the following registry keys:

Group policy object (GPO): HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Local policy preference: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection

Policy	Path	Applies to	Value
CommercialId	Local	All Windows versions	In order for a device to show up in Desktop Analytics, configure it with your organization’s Commercial ID.
AllowTelemetry	GPO	Windows 10	Set 1 for Basic (Required), 2 for Enhanced, or 3 for Full (Optional) diagnostic data. Desktop Analytics requires at least basic diagnostic data. Microsoft recommends that you use the Optional (limited) (Enhanced (Limited)) level with Desktop Analytics. For more information, see Configure Windows diagnostic data in your organization.
LimitEnhancedDiagnosticDataWindowsAnalytics	GPO	Windows 10, version 1803 and later	This setting only applies when the AllowTelemetry setting is 2 . It limits the Enhanced diagnostic data events sent to Microsoft to just those events needed by Desktop Analytics. For more information, see Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy.
AllowDeviceNameInTelemetry	GPO	Windows 10, version 1803 and later	Enable devices to send the device name. The device name isn’t sent to Microsoft by default. If you don’t send the device name, it appears in Desktop Analytics as «Unknown». For more information, see Device name.
CommercialDataOptIn	Local	Windows 8.1 and earlier	Desktop Analytics requires a value of 1 . For more information, see Commercial Data Opt-in in Windows 7.
RequestAllAppraiserVersions	Both	Windows 8.1 and earlier	Desktop Analytics requires a value of 1 for data collection to work correctly.
DisableEnterpriseAuthProxy	GPO	All Windows versions	If your environment requires a user-authenticated proxy with Windows Integrated Authentication for internet access, Desktop Analytics requires a value of 0 for data collection to work correctly. For more information, see Proxy server authentication.

When you configure the diagnostic data level, you set the upper boundary for the device. By default in Windows 10, version 1803 and later, users can choose to set a lower level. You can control this behavior using the group policy setting, Configure telemetry opt-in setting user interface.

Starting in version 2006, Configuration manager sets the following Windows policies in preparation to support an upcoming option for enterprise customers to control their Windows diagnostic data:

Policy	Path	Applies to	Value
AllowDesktopAnalyticsProcessing	GPO	Windows 10, version 1809 and later	Desktop Analytics requires a value of 2 for data collection to work correctly.

Starting in version 2010, Configuration Manager can configure the Optional (limited) level on the devices running Windows build version 19577 or later. For more information, see Changes to Windows diagnostic data collection. For this diagnostic data level, Configuration Manager sets the following settings:

Policy	Value
AllowTelemetry	3 for Optional (limited)
LimitDumpCollection	1
LimitDiagnosticLogCollection	1
LimitEnhancedDiagnosticDataWindowsAnalytics	1

In most circumstances, only use Configuration Manager to configure these settings. Don’t also apply these settings in domain group policy objects. For more information, see Conflict resolution.

Settings from Upgrade Readiness

Windows Analytics also set the following policies through the Upgrade Readiness script:

• CommercialId
• AllowDeviceNameInTelemetry
• CommercialDataOptIn
• RequestAllAppraiserVersions

If you ran the Upgrade Readiness onboarding script on a device, these policy settings may still exist. Don’t use the legacy script. Before you enroll the device to Desktop Analytics, remove these previous policy settings.

Group policy settings

In general, use Configuration Manager collections to target Desktop Analytics settings and enrollment. Use direct membership or queries to include or exclude devices from the collection. For more information, see How to create collections.

Configuration Manager configures commercial ID and diagnostic data settings on your target collection. If you need to configure different diagnostic data settings for different group of devices, use group policy settings to override Configuration Manager settings. For example, you need to set Optional (limited) level for some devices and Required for others. Some devices may have different proxy server authentication settings.

The relevant group policy settings are at the following path: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.

Group policy settings only modify registry settings in the following key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Conflict resolution

When you use group policy settings to enable complex scenarios, pay special attention to policy settings that can cause configuration conflicts. Configuration Manager only configures Windows settings if the value doesn’t already exist. Mobile device management (MDM) policies and group policy settings take precedence over Configuration Manager settings, so certain policy configurations could cause issues with Desktop Analytics. Status for devices targeted with MDM and group policy settings may not be accurately reflected in the Connection health dashboard.

The group policy settings in the following table have the greatest potential to cause conflict with the Windows settings that Configuration Manager sets on devices it enrolls to Desktop Analytics:

Display name	Registry value	Effect on devices enrolled in Desktop Analytics
Configure the Commercial ID	CommercialId	If you set this policy to a different value, it overrides the Commercial ID set by Configuration Manager. If it’s not the same ID, configured devices may not appear in Desktop Analytics.
Allow telemetry	AllowTelemetry	If you set this policy to a different value, it overrides the global diagnostic data level that you set in Configuration Manager for the target collection.
Limit Enhanced diagnostic data to the minimum required by Windows Analytics	LimitEnhancedDiagnosticDataWindowsAnalytics	This policy is dependent upon the prior AllowTelemetry setting. Depending upon the level you set in Configuration Manager or with group policy, this policy can change the diagnostic data level on the device to Enhanced or Enhanced (Limited). This policy only applies if AllowTelemetry is set to 2 (Enhanced).
Allow device name to be sent in Windows diagnostic data	AllowDeviceNameInTelemetry	If you opt-in to send device names in Configuration Manager, you can override it by configuring this policy to Disabled. When you disable this setting, device names appear as «Unknown» in Desktop Analytics. For more information, see Device name.
Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service	DisableEnterpriseAuthProxy	If you configure Configuration Manager devices to use user-authenticated proxy ( 0 ), if you then configure this policy to Disable Authenticated Proxy usage ( 1 ), then the device sends diagnostic data in the system context instead of the user’s context. If you don’t configure the device with a proxy in system context, or the device can’t authenticate to the proxy, Windows can’t send diagnostic data to Desktop Analytics.
Allow Desktop Analytics Processing	Allow Desktop Analytics Processing	If you configure this policy to Disabled ( 0 ), devices may not appear in Desktop Analytics.

The legacy policy Configure Connected User Experiences and Telemetry (TelemetryProxy) allows Windows to forward diagnostic data to a dedicated proxy, instead of using the user (WinINET) or device (WinHTTP) proxy. Some Windows components don’t support this policy. If you use this policy, it may cause data quality issues in Desktop Analytics.

Behavior of disabled settings

If you configure these group policy settings to Disabled, it has different effects on system behavior.

When you disable the CommercialId policy, Windows removes the registry value. The Configuration Manager setting for the commercial ID, which is set in the local policy registry path, then applies to the device.

For policies that Configuration Manager sets in the same registry location as group policy, when you disable the setting in group policy, Windows removes the registry value. Configuration Manager will set it again on its next policy processing cycle, and then Windows will remove it on the next group policy refresh. This constant change in configuration may cause undesired behaviors with Desktop Analytics.

• If you set these group policy settings to Not configured, Windows removes the value once but doesn’t continue to remove it. This configuration lets Configuration Manager apply its values as expected.

Group policy settings to customize the user experience

These group policy settings aren’t required by Configuration Manager or Desktop Analytics. You can configure them in group policy to configure your users’ experience with Windows diagnostic data.