๐ Secure Bits ๐ก
๐ง๐ต๐ฒ โ๐ง๐ฟ๐๐๐๐ฒ๐ฑ ๐ฃ๐ฎ๐๐ตโ ๐ฃ๐ผ๐น๐ถ๐ฐ๐ ๐ง๐ต๐ฎ๐ ๐๐ฟ๐ผ๐ธ๐ฒ ๐ข๐ข๐๐
This was a weird oneโand it took a while to figure out.
I was working on my ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐ฏ๐ฎ๐๐ฒ๐น๐ถ๐ป๐ฒ๐ and came across a recommendation to enable:
๐๐ฐ๐ฎ๐ฑ๐ถ๐ต๐ฆ๐ณ ๐๐ฐ๐ฏ๐ง๐ช๐จ๐ถ๐ณ๐ข๐ต๐ช๐ฐ๐ฏ๐๐ฅ๐ฎ๐ช๐ฏ๐ช๐ด๐ต๐ณ๐ข๐ต๐ช๐ท๐ฆ ๐๐ฆ๐ฎ๐ฑ๐ญ๐ข๐ต๐ฆ๐ด๐๐ช๐ฏ๐ฅ๐ฐ๐ธ๐ด ๐๐ฐ๐ฎ๐ฑ๐ฐ๐ฏ๐ฆ๐ฏ๐ต๐ด๐๐ณ๐ฆ๐ฅ๐ฆ๐ฏ๐ต๐ช๐ข๐ญ ๐๐ด๐ฆ๐ณ ๐๐ฏ๐ต๐ฆ๐ณ๐ง๐ข๐ค๐ฆ
๐ ๏ธ โ๐ฅ๐ฒ๐พ๐๐ถ๐ฟ๐ฒ ๐๐ฟ๐๐๐๐ฒ๐ฑ ๐ฝ๐ฎ๐๐ต ๐ณ๐ผ๐ฟ ๐ฐ๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น ๐ฒ๐ป๐๐ฟ๐โ
Sounded good, tested fine, so I rolled it out to production.
Then the ๐๐๐ฟ๐ฎ๐ป๐ด๐ฒ ๐ฏ๐๐ด ๐ต๐ถ๐โฆ
Admins started reporting broken OOBE screens for local administrator accounts. No matter what we triedโevery path led back to the same ๐๐ป๐๐๐ฎ๐ฏ๐น๐ฒ ๐๐ฐ๐ฟ๐ฒ๐ฒ๐ป.
๐ง๐๐ฟ๐ป๐ ๐ผ๐๐:
๐น The policy blocked the UAC secure desktop prompt thatโs supposed to show up
๐น That left us stuck in OOBE with no way to proceed
โ Disabling the policy fixed it immediately.
๐ก๐๐๐ป ๐๐๐ถ๐๐:ย Microsoft later clarified they ๐ป๐ฒ๐๐ฒ๐ฟ ๐ผ๐ณ๐ณ๐ถ๐ฐ๐ถ๐ฎ๐น๐น๐ ๐ฟ๐ฒ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐ฑ๐ฒ๐ฑ this setting. (ehm…gpedit.msc…). But it used to be recommended for some time by other agencies.
So โ if you’re building or reviewing your baselines, ๐ธ๐ฒ๐ฒ๐ฝ ๐ฎ๐ป ๐ฒ๐๐ฒ ๐ผ๐ป ๐๐ต๐ถ๐ ๐ผ๐ป๐ฒ.
It might save you a few hours of unexpected troubleshooting.
Have you ever enabled this setting? Let me know ๐
