Group Policies must be refreshed in the background if the user is logged on.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-63613 | WN10-CC-000095 | SV-78103r1_rule | Medium |
| Description |
|---|
| If this setting is enabled, then Group Policy settings are not refreshed while a user is currently logged on. This could lead to instances when a user does not have the latest changes to a policy applied and is therefore operating in an insecure context. |
| STIG | Date |
|---|---|
| Windows 10 Security Technical Implementation Guide | 2016-06-24 |
Details
| Check Text ( C-64363r1_chk ) |
|---|
| The default behavior is for group policy to refresh in the back ground. If the following registry value name does not exist, this is not a finding. (This is the expected result from not configuring the policy noted in the Fix section. Selecting "Disabled" for the policy will also result in no registry value). If the following registry value name exists with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\Current Version\Policies\System\ Value Name: DisableBkGndGroupPolicy Value Type: REG_DWORD Value: (This registry entry will not exist if configured correctly.) |
| Fix Text (F-69543r1_fix) |
|---|
| The default behavior is for group policy to refresh in the back ground. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Turn off background refresh of Group Policy" to "Not Configured". (Selecting "Disabled" results in the same outcome as "Not Configured", the registry value will not exist.) |