Why don't you have to press CTRL+ALT+DEL to logon anymore in Windows 8?

In previous versions of Windows, you had to press Ctrl + Alt + Delete to logon, or to unlock a locked workstation. This was because this key sequence was recognized only by the OS and thus other software couldn't intercept it and display a spoofed logon screen to capture passwords.

Starting with Windows 8, you now just have to press Enter to get to the logon screen.

What is to stop someone from writing a fake logon screen? Did Windows 8 add some sort of new security mechanism to mitigate this security issue?

Mike Christensen

Posted 2014-02-26T16:53:51.217

Reputation: 3 299

It was always handled by a domain policy. You can configure Windows XP through Windows 8.1 to require authentication or automatically log into a specific user if you want. – Ramhound – 2014-02-26T17:48:57.437

@Ramhound - I'm looking for this setting (In Windows 8.1) but cannot find it anywhere.. Are you sure? – Mike Christensen – 2014-02-26T18:10:13.783

Answers

I do not believe this was enforced by default in earlier windows versions either. There is a group policy setting you can use to enforce this.

Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options - Interactive Logon: Do not require CTRL+ALT+DELETE

disable that and you will be required to press ctrl+alt+delete.

same procedure for a domain gpo or standalone. I still turn this on in my home as a default security practice for the reasons you mentioned above.

driz

Posted 2014-02-26T16:53:51.217

Reputation: 241

@MikeChristensen whats up with that? You got it figured out? Please dont accept an answer because you found your own way of doing it, or add information in the comment that tells us something about what the solution was. – chwi – 2014-08-12T12:00:40.377

I do not believe this was enforced by default in earlier windows versions.... Correct for non-domain joined computers and all Home editions of Windows. The default configuration of domain-joined computers in prior versions was to require the CAD sequence. – I say Reinstate Monica – 2015-05-20T04:32:06.447

3Found it! You have to run netplwiz, then go to the Advanced tab and check the Enable Secure Logon checkbox. – Mike Christensen – 2014-02-26T18:18:23.350

is the end result between using netplwiz and the GPO different? Presumably they are the same; but I don't think you can enforce a setting in netplwiz across a domain. glad you found it! – driz – 2014-02-26T18:29:36.480

I couldn't find anything called Computer Configuration on my machine, so I didn't try your way. – Mike Christensen – 2014-02-26T18:59:35.790

ah, it's under the local group policy editor; gpedit.msc; for a domain, it is gpmc. I apologize for the lacking response! – driz – 2014-02-26T19:33:45.330

Ah no problem. I got it figured out anyway. – Mike Christensen – 2014-02-26T19:51:35.817

Twisty's comment is correct, the accepted answer is not.

You can test if you like. Create a fresh AD domain and two fresh installs of Windows, one Windows 8 or newer and one Windows 7 or older. Before domain join, neither OS will require CAD/SAK/SAS. After domain join, Windows 7 will require it and Windows 8 will not. It is not due to group policy, if you do happen to explicitly apply this setting via GPO as described in the accepted answer, then you will see that all Windows versions will require CAD/SAK/SAS.

MCSA in 2012 R2

escuelle

Posted 2014-02-26T16:53:51.217

Reputation: 39

You are right, however this is not really an answer to the question why this was changed. Do you happen to know? I am guessing it has something to do with more keyboardless tablets and more biometric methods via hello that they found it to be inconvenient but I have not found any source so far. – Syberdoor – 2018-04-13T09:15:21.640

Probably because it was regarded as a simply security feature that was more complex than it needed to be. https://www.cnn.com/2013/09/26/tech/innovation/bill-gates-control-alt-delete/index.html

– escuelle – 2018-05-10T12:54:30.367