Description of the AllowUnprivilegedProxyAuth registry value

This article describes the Local Security Authority (LSA) registry value AllowUnprivilegedProxyAuth.

This registry value enables Application Guard and Universal Windows Platform (UWP) applications which do not use the enterpriseAuthentication capability to automatically authenticate to HTTP proxies.

To enable or disable the AllowUnprivilegedProxyAuth setting, locate and change the following registry key: 

Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

DWORD name: AllowUnprivilegedProxyAuth
Value data: Any nonzero value (Default value)

Notes

• To automatically authenticate to HTTP proxy servers for applications which do not use the enterpriseAuthentication capability, set the Value data setting to 1.
• To not automatically authenticate to HTTP proxy servers for applications which do not use the enterpriseAuthentication capability, set the Value data setting to 0 (zero).

If you set the AllowUnprivilegedProxyAuth registry value to 1, these applications will have access to authentication traffic enabling them to run man-in-the-middle and dictionary/brute force attacks against the users NTLM authentication.

If you set the AllowUnprivilegedProxyAuth registry value to 0, applications which do not use the enterpriseAuthentication capability, such as Application Guard, will be unable to authenticate to HTTP proxies without providing credentials themselves. This might cause some web connection failures for applications which have to use a HTTP proxy that do not have credentials.

By default, the AllowUnprivilegedProxyAuth registry value is not present. If you have to make a change to this setting, you must create the value. The default value of this setting is 1.

This registry value is supported on Windows 10, version 1709, and later versions.