Summary
This article describes the Local Security Authority (LSA) registry value AllowUnprivilegedProxyAuth.
This registry value enables Application Guard and Universal Windows Platform (UWP) applications which do not use the enterpriseAuthentication capability to automatically authenticate to HTTP proxies.
Registry setting
Important This section, method, or task contains steps that tell you how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs.
For more information about how to back up and restore the registry, see the following article in the Microsoft Knowledge Base:
322756How to back up and restore the registry in Windows
To enable or disable the AllowUnprivilegedProxyAuth setting, locate and change the following registry key:
Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
DWORD name: AllowUnprivilegedProxyAuth
Value data: Any nonzero value (Default value)
Notes
-
To automatically authenticate to HTTP proxy servers for applications which do not use the enterpriseAuthentication capability, set the Value data setting to 1.
-
To not automatically authenticate to HTTP proxy servers for applications which do not use the enterpriseAuthentication capability, set the Value data setting to 0 (zero).
More information
If you set the AllowUnprivilegedProxyAuth registry value to 1, these applications will have access to authentication traffic enabling them to run man-in-the-middle and dictionary/brute force attacks against the users NTLM authentication.
If you set the AllowUnprivilegedProxyAuth registry value to 0, applications which do not use the enterpriseAuthentication capability, such as Application Guard, will be unable to authenticate to HTTP proxies without providing credentials themselves. This might cause some web connection failures for applications which have to use a HTTP proxy that do not have credentials.
By default, the AllowUnprivilegedProxyAuth registry value is not present. If you have to make a change to this setting, you must create the value. The default value of this setting is 1.
This registry value is supported on Windows 10, version 1709, and later versions.