Configuration
Management runtime is configurable using registry values specified in the registry key:
HKLM\Software\Policies\Microsoft Services\AdmPwd
Registry values are configured via GPO or DSC, or can be configured by any other means that can keep registry configuration in place.
Currently the following configuration values are supported:
| Value | Type | Meaning |
|---|---|---|
| AdmPwdEnabled | REG_DWORD | Setting to non-zero enables the solution.
Resulting policy must have this value set to non-zero so as the solution is enabled to work on managed machine.
Managed by policy Enable local admin password management |
| AdminAccountName | REG_SZ | Name of local account to manage password for.
If not configured, CSE manages built-in Administrator password regardless of its name (detects it via well-known SID)
Managed by policy Customize administrator account name/td> |
| ManualPasswordChangeProtectionEnabled | REG_DWORD | Setting to zero disables protection against manual changes of managed local administrator account.
If not configured or set to non-zero, protection is active
Managed by policy Protect against manual changes of password |
| LogLevel | REG_DWORD | Logging level on clients.
Supported values are specified in Logging Managed by policy Logging level |
| PasswordLength | REG_DWORD | Length of password generated
Minimum: 8 Managed by policy Password Settings |
| PasswordComplexity | REG_DWORD | Complexity of generated password
Minimum: 1 Meaning of values: Managed by policy Password Settings |
| PasswordAge | REG_DWORD | Age of password in hours.
Minimum: 1 Managed by policy Password Settings |
| MaxPasswordAge | REG_DWORD | Maximum configurable age of password in hours. When configured, PasswordAge cannot exceed this value.
Minimum: 1 Managed by policy Maximum Configurable Password Age |
| PublicKey | REG_SZ |
Base64-encoded public key for password encryption. This is CryptoAPI encryption key, used by clients up to 7.5.1.0.
Get the key via PowerShell cmdlet Managed by policy Password encryption |
| EncryptionKey | REG_SZ |
Base64-encoded public key for password encryption. This is CNG encryption key, used by clients v7.5.2.0 and newer
Get the key via PowerShell cmdlet Managed by policy Password encryption |
| PwdExpirationProtectionEnabled | REG_DWORD | Whether CSE shall enforce password age to be aligned with PasswordAge parameter.
If set to non-zero, when password expiration time set on computer exceeds PasswordAge policy, password is reset upon next GPO refresh and expiration is set according to policy
Managed by policy Do not allow password expiration time longer than required by policy |
| PwdEncryptionEnabled | REG_DWORD | Whether or not password encryption is enabled
Default: No Managed by policy Password encryption |
| PwdHistoryEnabled | REG_DWORD | Whether or not to maintain password history for computer
Managed by policy Maintain history of passwords |
| BuiltInAdminState | REG_DWORD | Desired state for built-in local admin account on managed machine.
Meaning of values:
0 ... Built-in admin account is kept Disabled Managed by policy Desired state of built-in admin account |
| ReportingEnabled | REG_DWORD |
Allows centralized reporting of client activity. Managed by policy Centralized client activity reporting |
| ReportingHost | REG_SZ |
Fully Qualified Domain Name (FQDN) of PDS host that collects client reports. Managed by policy Centralized client activity reporting |
ReportingPort | REG_DWORD |
UDP port where centralized reporting collector listens. By default, it's port 61184. Only needs to be changed/configured, when centralized reporting collector is configured to listen on non-default port. Managed by policy Centralized client activity reporting |
Note: In GPO UI, all configuration settings related to configuration of CSE are located under Computer configuration/Administrative Templates/AdmPwd Enterprise/Managed Clients path.