DSCResources/MSFT_SecurityOption/MSFT_SecurityOption.schema.mof

[ClassVersion("1.0.0.0")]
class MSFT_RestrictedRemoteSamSecurityDescriptor
{
    [Write, ValueMap{"Allow","Deny"},Values{"Allow","Deny"}] String Permission;
    [Write] String Identity;
};
 
[ClassVersion("2.0.0.0"), FriendlyName("SecurityOption")]
class MSFT_SecurityOption : OMI_BaseResource
{
    [Key, Description("Describes the security option to be managed. This could be anything as long as it is unique")] String Name;
    [Write, Description("Determines whether the local Administrator account is enabled or disabled"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Accounts_Administrator_account_status;
    [Write, Description("Prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services."), ValueMap{"This policy is disabled","Users cant add Microsoft accounts","Users cant add or log on with Microsoft accounts"}, Values{"This policy is disabled","Users cant add Microsoft accounts","Users cant add or log on with Microsoft accounts"}] String Accounts_Block_Microsoft_accounts;
    [Write, Description("Determines whether the Guest account is enabled or disabled"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Accounts_Guest_account_status;
    [Write, Description("Determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only;
    [Write, Description("Determines whether a different account name is associated with the security identifier (SID) for the administrator account")] String Accounts_Rename_administrator_account;
    [Write, Description("Determines whether a different account name is associated with the security identifier (SID) for the Guest account")] String Accounts_Rename_guest_account;
    [Write, Description("If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the Audit object access audit setting, access to these system objects is audited"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Audit_the_access_of_global_system_objects;
    [Write, Description("Determines whether to audit the use of all user rights, including Backup and Restore, when the Audit privilege use policy setting is configured"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Audit_the_use_of_Backup_and_Restore_privilege;
    [Write, Description("Allows you to manage your audit policy in a more precise way by using audit policy subcategories"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings;
    [Write, Description("Determines whether the system shuts down if it is unable to log security events"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Audit_Shut_down_system_immediately_if_unable_to_log_security_audits;
    [Write, Description("Allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device")] String DCOM_Machine_Access_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax;
    [Write, Description("Allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device")] String DCOM_Machine_Launch_Restrictions_in_Security_Descriptor_Definition_Language_SDDL_syntax;
    [Write, Description("Enables or disables the ability of a user to remove a portable device from a docking station without logging on"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Allow_undock_without_having_to_log_on;
    [Write, Description("Determines who is allowed to format and eject removable media."), ValueMap{"Administrators","Administrators and Power Users","Administrators and Interactive Users"}, Values{"Administrators","Administrators and Power Users","Administrators and Interactive Users"}] String Devices_Allowed_to_format_and_eject_removable_media;
    [Write, Description("Determines who can install a printer driver as part of adding a network printer"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Prevent_users_from_installing_printer_drivers;
    [Write, Description("Determines whether a CD is accessible to local and remote users simultaneously"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Restrict_CD_ROM_access_to_locally_logged_on_user_only;
    [Write, Description("Determines whether removable floppy disks are accessible to local and remote users simultaneously"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Devices_Restrict_floppy_access_to_locally_logged_on_user_only;
    [Write, Description("Determines whether server operators can use the 'at' command to submit jobs. "), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_controller_Allow_server_operators_to_schedule_tasks;
    [Write, Description("Determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing"), ValueMap{"None","Require Signing"}, Values{"None","Require Signing"}] String Domain_controller_LDAP_server_signing_requirements;
    [Write, Description("Enables or disables blocking a domain controller from accepting password change requests for machine accounts"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_controller_Refuse_machine_account_password_changes;
    [Write, Description("Determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always;
    [Write, Description("Determines whether all secure channel traffic that is initiated by the domain member must be encrypted"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Digitally_encrypt_secure_channel_data_when_possible;
    [Write, Description("Determines whether all secure channel traffic that is initiated by the domain member must be signed"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Digitally_sign_secure_channel_data_when_possible;
    [Write, Description("Determines whether a domain member periodically changes its machine account password"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Disable_machine_account_password_changes;
    [Write, Description("Determines when a domain member submits a password change")] String Domain_member_Maximum_machine_account_password_age;
    [Write, Description("Determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Domain_member_Require_strong_Windows_2000_or_later_session_key;
    [Write, Description("Controls whether details such as email address or domain\\username appear with the username on the sign-in screen"), ValueMap{"User displayname, domain and user names","User display name only","Do not display user information"}, Values{"User displayname, domain and user names","User display name only","Do not display user information"}] String Interactive_logon_Display_user_information_when_the_session_is_locked;
    [Write, Description("Determines whether the name of the last user to log on to the device is displayed on the Secure Desktop"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Do_not_display_last_user_name;
    [Write, Description("Determines whether pressing CTRL+ALT+DEL is required before a user can log on"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Do_not_require_CTRL_ALT_DEL;
    [Write, Description("Allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker")] String Interactive_logon_Machine_account_lockout_threshold;
    [Write, Description("Specifies the amount of inactive time before the user's session locks by invoking the screen saver")] String Interactive_logon_Machine_inactivity_limit;
    [Write, Description("Specifies a text message to be displayed to users when they log on")] String Interactive_logon_Message_text_for_users_attempting_to_log_on;
    [Write, Description("Specifies a message title to be displayed to users when they log on")] String Interactive_logon_Message_title_for_users_attempting_to_log_on;
    [Write, Description("Determines whether a user can log on to a Windows domain by using cached account information")] String Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available;
    [Write, Description("Determines how many days in advance users are warned that their passwords are about to expire")] String Interactive_logon_Prompt_user_to_change_password_before_expiration;
    [Write, Description("Determines whether it is necessary to contact a domain controller to unlock a device"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Require_Domain_Controller_authentication_to_unlock_workstation;
    [Write, Description("Requires users to log on to a device by using a smart card"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Interactive_logon_Require_smart_card;
    [Write, Description("Determines what happens when the smart card for a logged-on user is removed from the smart card reader"), ValueMap{"No Action","Lock workstation","Force logoff","Disconnect if a remote Remote Desktop Services session"}, Values{"No Action","Lock workstation","Force logoff","Disconnect if a remote Remote Desktop Services session"}] String Interactive_logon_Smart_card_removal_behavior;
    [Write, Description("If this policy setting is enabled, SMBv2 clients will digitally sign all packets"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_client_Digitally_sign_communications_always;
    [Write, Description("If this policy setting is enabled, SMBv2 clients will digitally sign all packets if the server agrees"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_client_Digitally_sign_communications_if_server_agrees;
    [Write, Description("Allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers;
    [Write, Description("Determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity")] String Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session;
    [Write, Description("Specifies whether a Windows file server will attempt to use the Kerberos S4U2Self feature to obtain a claim-enabled access token for the client prinicipal if required."), ValueMap{"Default","Enabled","Disabled"}, Values{"Default","Enabled","Disabled"}] String Microsoft_network_server_Attempt_S4U2Self_to_obtain_claim_information;
    [Write, Description("Specifies whether an SMB server requires SMB network packets to be digitally signed"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_server_Digitally_sign_communications_always;
    [Write, Description("Specifies whether an SMB server will negotaite to digitally sign SMB network packets with a client"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_server_Digitally_sign_communications_if_client_agrees;
    [Write, Description("Enables or disables the forced disconnection of users who are connected to the local device using SMB outside their user account's valid logon hours"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Microsoft_network_server_Disconnect_clients_when_logon_hours_expire;
    [Write, Description("Controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the Server Message Block (SMB) protocol"), ValueMap{"Off","Accept if provided by client","Required from client"}, Values{"Off","Accept if provided by client","Required from client"}] String Microsoft_network_server_Server_SPN_target_name_validation_level;
    [Write, Description("Enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Allow_anonymous_SID_Name_translation;
    [Write, Description("Determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts;
    [Write, Description("Determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares;
    [Write, Description("Determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication;
    [Write, Description("Determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Let_Everyone_permissions_apply_to_anonymous_users;
    [Write, Description("Determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access")] String Network_access_Named_Pipes_that_can_be_accessed_anonymously;
    [Write, Description("Determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions")] String Network_access_Remotely_accessible_registry_paths;
    [Write, Description("Determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions")] String Network_access_Remotely_accessible_registry_paths_and_subpaths;
    [Write, Description("Enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the 'Network access: Named pipes that can be accessed anonymously' and 'Network access: Shares that can be accessed anonymously' settings"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares;
    [Write, EmbeddedInstance("MSFT_RestrictedRemoteSamSecurityDescriptor"), Description("The Permission and Identity required for restricted remote Sam access")] String Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM[];
    [Write, Description("Determines which shared folders can be accessed by anonymous users")] String Network_access_Shares_that_can_be_accessed_anonymously;
    [Write, Description("Determines how network logons that use local accounts are authenticated"), ValueMap{"Classic - Local users authenticate as themselves","Guest only - Local users authenticate as Guest"}, Values{"Classic - Local users authenticate as themselves","Guest only - Local users authenticate as Guest"}] String Network_access_Sharing_and_security_model_for_local_accounts;
    [Write, Description("Determines what identity to use for services running as Local System when NTLM is used"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM;
    [Write, Description("Determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Allow_LocalSystem_NULL_session_fallback;
    [Write, Description("Determines whether authentication is allowed between two or more computers that have established a peer relationship through the use of online IDs"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities;
    [Write, Description("Allows you to set the encryption types that the Kerberos protocol is allowed to use"), ValueMap{"DES_CBC_CRC","DES_CBC_MD5","RC4_HMAC_MD5","AES128_HMAC_SHA1","AES256_HMAC_SHA1","FUTURE"}, Values{"DES_CBC_CRC","DES_CBC_MD5","RC4_HMAC_MD5","AES128_HMAC_SHA1","AES256_HMAC_SHA1","FUTURE"}] String Network_security_Configure_encryption_types_allowed_for_Kerberos[];
    [Write, Description("Determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change;
    [Write, Description("Determines whether to disconnect users who are connected to the local device using SMB outside their user account's valid logon hours"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Network_security_Force_logoff_when_logon_hours_expire;
    [Write, Description("Determines which challenge or response authentication protocol is used for network logons"), ValueMap{"Send LM & NTLM responses","Send LM & NTLM - use NTLMv2 session security if negotiated","Send NTLM responses only","Send NTLMv2 responses only","Send NTLMv2 responses only. Refuse LM","Send NTLMv2 responses only. Refuse LM & NTLM"}, Values{"Send LM & NTLM responses","Send LM & NTLM - use NTLMv2 session security if negotiated","Send NTLM responses only","Send NTLMv2 responses only","Send NTLMv2 responses only. Refuse LM","Send NTLMv2 responses only. Refuse LM & NTLM"}] String Network_security_LAN_Manager_authentication_level;
    [Write, Description("Determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests"), ValueMap{"None","Negotiate Signing","Require Signing"}, Values{"None","Negotiate Signing","Require Signing"}] String Network_security_LDAP_client_signing_requirements;
    [Write, Description("Allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security"), ValueMap{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}, Values{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}] String Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients;
    [Write, Description("Allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security"), ValueMap{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}, Values{"Require NTLMv2 session security","Require 128-bit encryption","Both options checked"}] String Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers;
    [Write, Description("Allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' policy setting is configured")] String Network_security_Restrict_NTLM_Add_remote_server_exceptions_for_NTLM_authentication;
    [Write, Description("Allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the 'Network Security: Restrict NTLM: NTLM authentication in this domain' policy setting")] String Network_security_Restrict_NTLM_Add_server_exceptions_in_this_domain;
    [Write, Description("Allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller"), ValueMap{"Allow all","Deny all domain accounts","Deny all accounts"}, Values{"Allow all","Deny all domain accounts","Deny all accounts"}] String Network_Security_Restrict_NTLM_Incoming_NTLM_Traffic;
    [Write, Description("Allows you to deny or allow NTLM authentication within a domain from this domain controller"), ValueMap{"Disable","Deny for domain accounts to domain servers","Deny for domain accounts","Deny for domain servers","Deny all"}, Values{"Disable","Deny for domain accounts to domain servers","Deny for domain accounts","Deny for domain servers","Deny all"}] String Network_Security_Restrict_NTLM_NTLM_authentication_in_this_domain;
    [Write, Description("Allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system"), ValueMap{"Allow all","Audit all","Deny all"}, Values{"Allow all","Audit all","Deny all"}] String Network_Security_Restrict_NTLM_Outgoing_NTLM_traffic_to_remote_servers;
    [Write, Description("Allows you to audit incoming NTLM traffic"), ValueMap{"Disabled","Enable auditing for domain accounts","Enable auditing for all accounts"}, Values{"Disabled","Enable auditing for domain accounts","Enable auditing for all accounts"}] String Network_Security_Restrict_NTLM_Audit_Incoming_NTLM_Traffic;
    [Write, Description("Allows you to audit on the domain controller NTLM authentication in that domain"), ValueMap{"Disable","Enable for domain accounts to domain servers","Enable for domain accounts","Enable for domain servers","Enable all"}, Values{"Disable","Enable for domain accounts to domain servers","Enable for domain accounts","Enable for domain servers","Enable all"}] String Network_Security_Restrict_NTLM_Audit_NTLM_authentication_in_this_domain;
    [Write, Description("Determines whether the built-in Administrator account password must be provided before access to the Recovery Console on the device is granted"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Recovery_console_Allow_automatic_administrative_logon;
    [Write, Description("Enables or disables the Recovery Console SET command"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Recovery_console_Allow_floppy_copy_and_access_to_all_drives_and_folders;
    [Write, Description("Determines whether a device can be shut down without having to log on to Windows"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on;
    [Write, Description("Determines whether the virtual memory paging file is cleared when the device is shut down"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String Shutdown_Clear_virtual_memory_pagefile;
    [Write, Description("Determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password"), ValueMap{"User input is not required when new keys are stored and used","User is prompted when the key is first used","User must enter a password each time they use a key"}, Values{"User input is not required when new keys are stored and used","User is prompted when the key is first used","User must enter a password each time they use a key"}] String System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer;
    [Write, Description("Determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing;
    [Write, Description("Determines whether case insensitivity is enforced for all subsystems"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_objects_Require_case_insensitivity_for_non_Windows_subsystems;
    [Write, Description("Determines the strength of the default discretionary access control list (DACL) for objects"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links;
    [Write, Description("Determines which subsystems support your applications")] String System_settings_Optional_subsystems;
    [Write, Description("Determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String System_settings_Use_Certificate_Rules_on_Windows_Executables_for_Software_Restriction_Policies;
    [Write, Description("Determines the behavior of Admin Approval Mode for the built-in administrator account"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account;
    [Write, Description("Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop;
    [Write, Description("Determines the behavior of the elevation prompt for accounts that have administrative credentials"), ValueMap{"Elevate without prompting","Prompt for credentials on the secure desktop","Prompt for consent on the secure desktop","Prompt for credentials","Prompt for consent","Prompt for consent for non-Windows binaries"}, Values{"Elevate without prompting","Prompt for credentials on the secure desktop","Prompt for consent on the secure desktop","Prompt for credentials","Prompt for consent","Prompt for consent for non-Windows binaries"}] String User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode;
    [Write, Description("Determines the behavior of the elevation prompt for standard users"), ValueMap{"Automatically deny elevation request","Prompt for credentials on the secure desktop","Prompt for credentials"}, Values{"Automatically deny elevation request","Prompt for credentials on the secure desktop","Prompt for credentials"}] String User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users;
    [Write, Description("Determines the behavior of application installation detection for the entire system"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Detect_application_installations_and_prompt_for_elevation;
    [Write, Description("Enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Only_elevate_executables_that_are_signed_and_validated;
    [Write, Description("Enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations;
    [Write, Description("Determines the behavior of all User Account Control (UAC) policies for the entire system"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode;
    [Write, Description("Determines whether the elevation request prompts on the interactive user desktop or on the secure desktop"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation;
    [Write, Description("Enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system"), ValueMap{"Enabled","Disabled"}, Values{"Enabled","Disabled"}] String User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations;
};