Asking for clear written documentation that “Require trusted path for credential entry” is no longer recommended

A customer had turned on the Require trusted path for credential entry policy (under Computer Configuration, Administrative Templates, Windows Components, Credential User Interface). They demanded that Microsoft provide clear written documentation that the policy is no longer recommended.

This was an interesting demand, because that setting was never recommended in the first place.

Aaron Margosis, who knows a lot about recommended security settings, confirmed that that setting was never in any Microsoft-published security baseline. He recalls that it was part of a draft government baseline, but was quickly removed and never made it past the draft stage. Aaron even gave a talk titled Unintended Consequences of Security Lockdowns where he demonstrates how useless that policy is:

The demonstration begins at timecode 32:47, and he continues at 37:10 with a discussion of the secure attention sequence.

Being told that Microsoft never recommended the setting was not enough to placate the customer, who reiterated their demand that Microsoft formally publish a recommendation not to set that setting.

Faced with another case of a customer demanding that there be published documentation stating that a bad idea is a bad idea, Aaron suggested that the customer consider sticking with well-known and proven solutions.