Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member ...

Domain member: Digitally sign secure channel data (when possible)

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.

This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Default: Enabled.

Notes:

If the policy Domain member: Digitally encrypt or sign secure channel data (always) is enabled, then this policy is assumed to be enabled regardless of its current setting.
Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

Domain controller: Refuse machine account password changes This security setting determines whether domain controllers will ... Domain controllers cannot be moved from one domain to another, they must first be demoted. Renaming this domain controller ... Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure ... Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member ... Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member ... Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer ... Domain member: Maximum machine account password age This security setting determines how often a domain member will attempt ... Domain member: Require strong (Windows 2000 or later) session key This security setting determines whether 128-bit key strength ... Domain networks are configured by your system administrator and their locations cannot be changed to Private. You must manually ...