Windows-itpro-docs: Is the guidance around CTRL-ALT-DEL still valid?

@tlamothe. Tomorrow I will check on Windows 10 1909 Enterprise 64bit.
afterwards I will reply to you back

@officedocsbot assign @jvsam

@tlamothe. Is your surface book 2s is connected to any organization.
If connected means, contact the system administrator

@tlamothe. Today morning i checked on windows 10 19012 insider preview,

i set to disabled for CTRL-ALT-DEL and updated the policy through command, then i restarted the windows, i found CTRL-ALT-DEL is displayed on the login screen, i need to press those combinations of keys to unlock.

Hi @tlamothe, have you tried enabling and disabling the policy setting to confirm? Seems @RAJU2529 was able to confirm that Interactive logon: Do not require CTRL+ALT+DEL security policy setting is still working as expected. Looking forward to hearing from you.

I don't think you are not understanding the question.

Your guidance is to leave the setting not configured which on a Client Computer the Effective Default Settings is Disabled.
Disabling the disable policy has the effective result of enabling it.

Is the Microsoft guidance that it is security best practice to force ctrl-alt-del still valid? With Windows 10 security enhancements and the push to making it more accessible to people with disabilities, does forcing CTRL-ALT-DEL for users to login still make sense? Is it advisable to enable this setting on Windows 10 machines or should we continue to follow the guidance on the page that might aged and dated.

Thank you for the clarification @tlamothe.

It is advisable to set Disable CTRL+ALT+DEL requirement for logon to Not configured.

If you are pertaining to the above, the suggested best practice is updated. This information that came from a closed issue might help, tagging @illfated since he pointed it out. See related issue comment. So, as per this blog article...

...to remove settings that do not address contemporary threats, and to remove the enforcement of Windows default settings that require administrative control to change and that are unlikely to be changed by an authorized administrator. The result is that we have removed 122 settings that had been enforced...

...the 122 settings that went from a configured value to “Not Configured.” For many of these settings, such as Windows Update settings, specific configuration is best left to the organization. For others, organizations can continue enforcing settings, but we do not consider their enforcement to be necessary...

Enforcement of Ctrl+Alt+Del at logon to protect credentials from theft. This is not particularly strong protection. First, it depends on a user that’s looking at a spoofed logon screen remembering that he or she hadn’t pressed Ctrl+Alt+Del before typing a password. Second, so many apps prompt the user for the same credentials on the user’s desktop that the credentials can easily be stolen there. Third, if the adversary has gained administrative control of the computer, the “secure desktop” is no longer a protected space. Finally, with devices offering more keyboard-free logon experiences such as facial recognition, Ctrl+Alt+Del becomes an annoying interference...

Please note that you can also consider Windows Hello e.g. Biometric sign-in, if it's a viable option for you.

P.S. @illfated, this doc has some redundant sentences (See the Reference section). If you have time, perhaps you can suggest the updates? Thank you!

First of all, thank you to all of you for commenting about this feature which appears to be more or less outdated.

One of my main incentives to regard the enforcement as outdated is the prevalence of remote control software giving you the option to send the Ctrl+Alt+Del key combination as a software package to the target client, triggering the login UI without using the physical keyboard. I also recognize and appreciate the situation where the client computer is used by one or more disabled persons, making it necessary to disable the feature for direct local interaction. With all the other biometric options we now have access to, it is rapidly becoming a functionality of the past, except for those few isolated scenarios where the computer is either physically disconnected from the internet or isolated from networking with other computers, and still regarded as a security device (because of local data or software content).

TL;DR: I appreciate the pros and cons of this feature, depending on the scenario in question.

Just to make it clear: I do not have access to any Surface Book computers, so I don't actually know if they respond differently to group policies compared to a random laptop or desktop computer using Windows 10 Pro. Furthermore, almost all of the computers I have access to have been upgraded from Windows 8.1 or Windows 7 to Windows 10, so I also find it difficult to verify with certainty which of the GPO settings will achieve the expected result on a Surface Book computer with only Windows 10 Pro as their original and first OS, without any settings migrated from Windows 8.

And yes, even though I have a tendency to "ramble on" or seem to rant when I try to explain what I am thinking, I will be looking into the Reference section to see if I can find and simplify the text where it contains redundancies.

@tlamothe The associated PR for this issue, #5767, has been merged. Thank you for the feedback.

@e0i : Sorry for disappointing you, but my PR merely removed duplicated text, whereas the actual posted issue has not been answered yet. I am fairly certain we should keep it open until we get some form of confirmation that the actual question has been answered as such.

@jvsam , have I misunderstood the issue, are the replies above considered sufficient?

@illfated Thank you. The issue is being noted for re-investigation.

_FYI jvsam is no longer part of the team_

Hello @tlamothe - Thank you for your query. This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.

If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.

If this policy is disabled, a user is required to press CTRL+ALT+DEL before logging on to Windows.

Default on domain-computers: Enabled
Windows 7 or earlier: Disabled
Default on stand-alone computers: Enabled.

So it totally depends on your/organization's requirement to enable this policy or to keep it disabled.

Thanks.
Imran.

Good answer, @joinimran . At first, I had doubts about whether you had answered the question, but it turned out to be correct.
From my perspective it looks like you could have highlighted the most important sentence (or parts of it), maybe something like this:

So it totally depends on your/organization's requirement to enable this policy or to keep it disabled.

I totally agree with that statement. There are hardly any yes/no answers (or "_this_ solution is better than _that other_ solution") in cases like the one in this ticket. The solution needs to be picked based on the requirements and security concerns in each individual case.

Being the old-school type myself, I prefer using the Ctrl-Alt-Del unlock feature for my desktop computer at work, but not on my home computer laptop. None of my colleagues are manually impaired (pertaining to their hands), so it is just as easy for those who need to access my computer when I am not there to use both hands to access the Ctrl-Alt-Del unlock feature, be it to log in as a different user or to check my computer for connection issues when I work from home (which hardly ever happens in our stable, small business domain network).

Having said that, I admit that most of my colleagues do not want to use this feature, which is a fair enough decision made by the management leaders, to use as simple as possible solutions they can get away with, to avoid having their work slowed down by any rigorous security measures. They only use two-factor authentication or multi-faction authentication to access external privileged resources, so the decision is mostly made by team leaders or heads of office, making my work less involved in the decision-making process.

If my workplace had been equipped with more modern laptops and workstations equipped with biometric solutions, it would make more sense to use some form of Biometric sign-in, which would have been both easier and more secure than the current password login method, but my employer is mostly stuck with generally 5-year old computer hardware, so we need to keep it simple at my office location. If I were working in your scenario, I would have recommended Windows Hello for Business and Biometric sign-in.

@tlamothe Please let us know if you still have any question regarding the issue you have raised initially.
The issue is being closed since your question seems to be answered. Feel free to re-open this issue if you feel that it hasn't been answered or that there are further suggestions to improve the documentation itself.
Thanks.

Looks good. Thanks.