Secure channel: Digitally encrypt or sign secure channel data (always)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options


Determines whether the computer will always digitally encrypt or sign secure channel data.

When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted.

If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted.

If this policy is disabled, signing and encryption are negotiated with the domain controller.

By default, this policy is disabled.

important-icon Important

This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing.

Note Image Note

If this parameter is enabled, then Secure channel: Digitally sign secure channel data (when possible) is automatically enabled.