Search Results for

    Show / Hide Table of Contents

    Configuration

    Management runtime is configurable using registry values specified in the registry key: HKLM\Software\Policies\Microsoft Services\AdmPwd
    Registry values are configured via GPO or DSC, or can be configured by any other means that can keep registry configuration in place.

    Currently the following configuration values are supported:

    Value Type Meaning
    AdmPwdEnabled REG_DWORD Setting to non-zero enables the solution. Resulting policy must have this value set to non-zero so as the solution is enabled to work on managed machine.

    Managed by policy Enable local admin password management

    AdminAccountName REG_SZ Name of local account to manage password for. If not configured, CSE manages built-in Administrator password regardless of its name (detects it via well-known SID)

    Managed by policy Customize administrator account name/td>

    ManualPasswordChangeProtectionEnabled REG_DWORD Setting to zero disables protection against manual changes of managed local administrator account. If not configured or set to non-zero, protection is active

    Managed by policy Protect against manual changes of password

    LogLevel REG_DWORD Logging level on clients.

    Supported values are specified in Logging
    If not configured, default is 0.

    Managed by policy Logging level

    PasswordLength REG_DWORD Length of password generated

    Minimum: 8
    Maximum: 64
    Default: 12

    Managed by policy Password Settings

    PasswordComplexity REG_DWORD Complexity of generated password

    Minimum: 1
    Maximum: 4
    Default: 4

    Meaning of values:
    1 ... large letters
    2 ... large letters + small letters
    3 ... large letters + small letters + numbers
    4 ... large letters + small letters + numbers + spec chars

    Managed by policy Password Settings

    PasswordAge REG_DWORD Age of password in hours.

    Minimum: 1
    Maximum: 9999
    Default: 720 (30 days)

    Managed by policy Password Settings

    MaxPasswordAge REG_DWORD Maximum configurable age of password in hours. When configured, PasswordAge cannot exceed this value.

    Minimum: 1
    Maximum: No limit
    Default: 8760(1 year)

    Managed by policy Maximum Configurable Password Age

    PublicKey REG_SZ

    Base64-encoded public key for password encryption. This is CryptoAPI encryption key, used by clients up to 7.5.1.0. Get the key via PowerShell cmdlet Get-AdmPwdPublicKey

    Managed by policy Password encryption

    EncryptionKey REG_SZ

    Base64-encoded public key for password encryption. This is CNG encryption key, used by clients v7.5.2.0 and newer Get the key via PowerShell cmdlet Get-AdmPwdPublicKey

    Managed by policy Password encryption

    PwdExpirationProtectionEnabled REG_DWORD Whether CSE shall enforce password age to be aligned with PasswordAge parameter. If set to non-zero, when password expiration time set on computer exceeds PasswordAge policy, password is reset upon next GPO refresh and expiration is set according to policy

    Managed by policy Do not allow password expiration time longer than required by policy

    PwdEncryptionEnabled REG_DWORD Whether or not password encryption is enabled

    Default: No

    Managed by policy Password encryption

    PwdHistoryEnabled REG_DWORD Whether or not to maintain password history for computer

    Managed by policy Maintain history of passwords

    BuiltInAdminState REG_DWORD Desired state for built-in local admin account on managed machine. Meaning of values:

    0 ... Built-in admin account is kept Disabled
    1 ... Built-in admin account is kept Enabled

    Managed by policy Desired state of built-in admin account

    ReportingEnabled REG_DWORD

    Allows centralized reporting of client activity.
    When enabled, managed machines send activity reports to central collecting host.

    Managed by policy Centralized client activity reporting

    ReportingHost REG_SZ

    Fully Qualified Domain Name (FQDN) of PDS host that collects client reports.
    Must be configured when centralized client reporting is enabled (see ReportingEnabled above), and must be reachable over network on UDP transport (for UDP port, see ReportingPort below).

    Managed by policy Centralized client activity reporting

    ReportingPort REG_DWORD

    UDP port where centralized reporting collector listens. By default, it's port 61184. Only needs to be changed/configured, when centralized reporting collector is configured to listen on non-default port.

    Managed by policy Centralized client activity reporting

    Note: In GPO UI, all configuration settings related to configuration of CSE are located under Computer configuration/Administrative Templates/AdmPwd Enterprise/Managed Clients path.

    • Improve this Doc
    ☀
    ☾
    Back to top Generated by DocFX