Domain member: Require strong (Windows 2000 or later) session key

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM passthrough authentication, LSA SID/name Lookup, and so on.

Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:

  • Domain member: Digitally encrypt or sign secure channel data (always)
  • Domain member: Digitally encrypt secure channel data (when possible)

Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.

If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.


In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options



Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 


Reboot required: 


Related content