CIS Benchmarks—Configuration Details
Use the Center for Internet Security (CIS) benchmark configuration to enforce secure and complaint configurations to protect your Windows Modern devices.
The default values of this configuration are in accordance with the CIS Benchmark configuration guidelines in the Center for Internet Security document CIS Microsoft Windows Desktop Benchmarks.
Experience
| Configuration | Description |
|---|---|
| Disallow Autoplay for Non Volume Devices | Enable to prevent autoplay for MTP devices like cameras or phones. Note: Supports Windows 10 version 1703 and
later. |
| Set Default Auto Run Behavior | Configure the default auto run behavior. Select from one of the
following options:
Note: Supports Windows 10 version 1703 and
later. |
| Turn Off Autoplay | Enable to turn off the autoplay feature. Select from one of the
following options:
Note: Supports Windows 10 version 1703 and
later. |
| Block User from Showing Account Details on Sign in | Prevents the display of account details, such as email address and user
name, on the sign-in screen. Note: Supports Windows 10
version 2004 and later. |
| Don't Enumerate Connected Users | Prevents the enumeration of connected users on domain-joined
computers. Note: Supports Windows 10 version 2004
and later. |
| Don't Display Network Selection UI | Controls whether anyone can interact with the available networks UI on
the logon screen. Note: Supports Windows 10 version
1703 and later. |
| Enumerate Local Users on Domain Joined Computers | Allows the enumeration of local users on domain-joined computers. Note: Supports Windows 10 version 1803 and
later. |
| Disable Lock Screen App Notifications | Prevents app notifications from appearing on the lock screen. Note: Supports Windows 10 version 1703 and
later. |
| Allow PIN Logon | Controls whether a domain user can sign in using a PIN. Note: Supports Windows 10 version 1703 and
later. |
| Block Picture Password | Controls whether a domain user can sign in using a picture
password. Note: Supports Windows 10 version 1703
and later. |
| Solicited Remote Assistance | Enable to allow users to request help via email or file transfer and to
use instant messaging programs for connections. Note: Supports Windows 10 version 1703 and later. |
| Unsolicited Remote Assistance | Enable or disable Offer (Unsolicited) Remote Assistance. Note: Supports Windows 10 version 1703 and
later. |
| Block Password Saving | Controls whether passwords can be saved on the computer when using
Remote Desktop Connections. Note: Supports Windows 10
version 1703 and later. |
| Block Drive Redirection | Controls whether client drives can be mapped in a Remote Desktop
Services session. Note: Supports Windows 10 version
1703 and later. |
| Prompt for Password upon Connection | Enable to always prompt the client for a password when connecting to
Remote Desktop Services. Note: Supports Windows 10
version 1703 and later. |
| Secure RPC Communication | Specify whether a Remote Desktop Session Host server requires secure
RPC communication with all clients or allows unsecured communication. Note: Supports Windows 10 version 1703 and
later. |
| Client Connection Encryption Level | Enable to specify whether a specific encryption level is required to
secure communications between the client and the RD Session Host server
during RDP connections. Choose encryption level from:
Restriction: This policy applies only
when using RDP encryption and not to SSL encryption. Note: Supports Windows 10 version 1703 and
later. |
| Allow Users to Connect Remotely | Enable to configure remote access to computers using Remote Desktop
Services. Note: Supports Windows 10 version 1703
and later. |
| Retain a User's Per-session Temporary Folders at Log off | Enable to retain a user's pre-session temporary folders at logoff. This
maintains the user's session-specific temporary folders on a remote
computer, even after the user logs off from a session. Note: Supports Windows 10 version 2004 and
later. |
| Client Basic Authentication | Enable to allow the Windows Remote Management (WinRM) client to use
basic authentication. Note: Supports Windows 10 version
2004 and later. |
| Client Unencrypted Traffic | Enable to allow the Windows Remote Management (WinRM) client to send
and receive unencrypted messages over the network. Note: Supports Windows 10 version 1709 and
later. |
| Block Client Digest Authentication | Allows you to configure whether the Windows Remote Management (WinRM)
client uses Digest authentication from a remote client. Note: Supports Windows 10 version 1709 and
later. |
| Service Basic Authentication | Enable to allow the Windows Remote Management (WinRM) service to accept
basic authentication from a remote client. Note: Supports Windows 10 version 1709 and later. |
| Block Storing RunAs Credentials | Enable to manage whether the Windows Remote Management (WinRM) service
disallows storing RunAs credentials for any plug-ins. Note: Supports Windows 10 version 1709 and
later. |
| Restrict Unauthenticated RPC Clients | Enable to restrict unauthenticated RPC clients from connecting to RPC
servers. You must restart the device for the configuration to apply. Select
authentication from:
Note: Supports Windows 10 version 1703 and
later. |
| RPC Endpoint Mapper Client Authentication | Enable to allow RPC clients to authenticate with the Endpoint Mapper
Service when the call includes authentication information. You must restart
the device for the configuration to apply. Note: Supports Windows 10 version 1703 and later. |
| Let Apps Activate with Voice | Configure whether Windows apps can be activated by voice. Choose
from:
Note: Supports Windows 10 version 1903 and
later. |
| Disable Consumer Account State Content | Enable to disable cloud consumer account state content across all
Windows experiences. Note: Supports Windows 11 version
21H2 and later. |
| Disable User Authentication for Microsoft Account | Controls whether users can use Microsoft accounts for authentication in
applications or services. Note: Supports Windows 10
version 2004 and later. |
| Allow News and Interests | Enable to allow the widgets feature on the device. Note: Supports Windows 11 version 21H2 and
later. |
| Allow Windows Ink Workspace | Choose from the following options to configure Windows Ink Workspace
access:
Note: Supports Windows 10 version 1607 and
later. |
| Allow Microsoft Accounts to be Optional | Enable to make Microsoft accounts optional for Windows Store apps that
require an account to sign in. This policy only affects apps that support
this feature. Note: Supports Windows 10 version 1803
and later. |
| Store offer to update to the Latest Version of Windows | Enable to control whether the store offers updates to the latest
version of Windows. Note: Supports Windows 10 version
2004 and later. |
| Allow Automatic Restart Sign On | Enable to allow the device to automatically sign in and lock the last
interactive user after a system restart or a shutdown and cold boot. Note: Supports Windows 10 version 1903 and
later. |
| Enable MPR Notifications | Enable to allow Win logon to send MPR notifications in the system. Note: Supports Windows 11 version 22H2 and
later. |
Network
| Configuration | Description |
|---|---|
| Hardened UNC Paths | Enable to configure secure access to UNC paths. Note: Supports Windows 10 version 1703 and
later. |
| Turn Off Multicast Name Resolution | Specifies that Link-local Multicast Name Resolution (LLMNR) is disabled
on client computers. Note: Supports Windows 10 version
2004 and later. |
| Remote Host Delegation of Non-exportable Credentials | Enable to allow remote host delegation of non-exportable
credentials. Note: Supports Windows 10 version 1803
and later. |
| Allow Encryption Oracle | Control the compatibility with vulnerable clients and servers to set
the desired level of protection for the encryption oracle vulnerability.
Choose from:
Note: Supports Windows 10 version 2004 and
later. |
| Disable Web PnP Download | Enable to allow clients to download print driver packages over
HTTP. Note: Supports Windows 10 version 2004 and
later. |
| Shell Prevent WPW Download | Enable to allow Windows to download a list of providers for the web
publishing and online ordering wizards. Note: Supports
Windows 10 version 2004 and later. |
| IPv6 Source Routing Protection Level | Allows configuration of the IPv6 source routing protection level.
Choose from:
Note: Supports Windows 10 version 1803 and
later. |
| IP Source Routing Protection Level | Allows configuration of the IP source routing protection level. Choose
from:
Note: Supports Windows 10 version 1803 and
later. |
| Ignore NetBIOS Name Release Requests Except from WINS Servers | Enable to allow the computer to ignore NetBIOS name release requests
except from WINS servers. Note: Supports Windows 10
version 1803 and later. |
| ICMP Redirects Override OSPF Generated Routes | Enable to allow ICMP redirects to override OSPF generated routes. Note: Supports Windows 10 version 1803 and
later. |
| Require Domain Users to Elevate when Setting a Network's Location | Determine if domain users need to elevate permissions when setting a
network's location. Note: Supports Windows 10 version
2004 and later. |
| Show Shared Access UI | Configure the Internet Connection Sharing (ICS) feature of an internet
connection and determine if the ICS service can run on the computer. Note: Supports Windows 10 version 2004 and
later. |
| Disable Home Group | Determine if users can add computers to a homegroup. By default, users
can add their computers to a homegroup on a private network. You must
restart the device for the configuration to apply. Note: Supports Windows 10 version 2004 and
later. |
| Block Connection with Non-domain Networks | Use the toggle to prevent computers from connecting to both a
domain-based network and a non-domain-based network simultaneously. Note: Supports Windows 10 version 1803 and
later. |
| Minimize Connections | Use the toggle to determine if a computer can have more than one
connection to the internet or a Windows domain. If multiple connections are
allowed, it will then determine how network traffic is routed. Choose
from:
Note: Supports Windows 10 version 2004 and
later. |
| Allow Clipboard Redirection | Enable the toggle to allow clipboard sharing with the sandbox. You must
restart the device for the configuration to apply. Note: Supports Windows 11 version 21H2 and
later. |
| Allow Networking | Enable the toggle to allow networking in the sandbox. You must restart
the device for the configuration to apply. Note: Supports Windows 11 version 21H2 and later. |
Security
| Configuration | Description |
|---|---|
| Prevent Device Metadata from Network | Enable to prevent Windows devices from retrieving device metadata from
the internet. Note: Supports Windows 10 version 1809
and later. |
| Disable Enclosure Downloading | Enable to prevent users from downloading enclosures (file attachments)
from a feed to the computer. Note: Supports Windows 10
version 1703 and later. |
| Prevent Enabling Lock Screen Slide Show | Disables the lock screen slide show settings to prevent the slide show
from playing on the lock screen. Note: Supports Windows
10 version 1703 and later. |
| Prevent Enabling Lock Screen Camera | Prevents the lock screen camera from being activated. Note: Supports Windows 10 version 1803 and
later. |
| Allow Input Personalization | Enable online speech recognition services. Note: Supports Windows 10 version 1507 and later. |
| Require Pin for Pairing | Specify the PIN requirement for pairing. Choose from:
Note: Supports Windows 10 version 1607 and
later. |
| Enable Virtualization Based Security | Enables virtualization based security. Note: Supports Windows 10 Enterprise, build 16299 and later and Windows 11
Enterprise/ Pro only. |
| Disallow Exploit Protection Override | Prevents users from changing the exploit protection settings in Windows
Security. Note: Supports Windows 10 version 1709
and later. |
| Block Microsoft Accounts | Prevents users from adding new Microsoft accounts on the computer. The
available options are:
Note: Supports Windows 10 version 1709 and
later. |
| Enable Administrator Account Status | Enable or disable the local Administrator account on the device. Note: Supports Windows 10 version 1709 and
later. |
| Enable Guest Account Status | Enable or disable guest accounts on the device. Note: Supports Windows 10 version 1709 and
later. |
| Block Remote Logon with Blank Password | Enable to prevent accounts without password protection from logging on
from locations other than the physical computer console. Note: Supports Windows 10 version 1709 and
later. |
| Rename Administrator Account | Enable to allow renaming the Administrator account. Note: Supports Windows 10 version 1709 and
later. Restriction: Account
names are limited to 20 characters and cannot include periods or
commas. |
| Rename Guest Account | Enable to allow renaming the guest account. Note: Supports Windows 10 version 1709 and later. Restriction: Account names are limited to 20
characters and cannot include periods or commas. |
| Allowed to Format and Eject Removable Media | Specify who can format and eject removable NTFS media. The available
options are:
Note: Supports Windows 10 version 1709 and
later. |
| Do Not Display Last Signed In | Hide the username of the last signed-in user on the Windows sign-in
screen. Note: Supports Windows 10 version 1709 and
later. |
| Do Not Require CTRL ALT DEL | Determines if users must press CTRL + ALT + DEL before logging on. Note: Supports Windows 10 version 1709 and
later. |
| Minutes of Lock Screen Inactivity Until Screen Saver Activates | Specify the inactivity time (in seconds) for the screen saver to
activate and lock the session. Note: Supports Windows
10 version 1709 and later. |
| Message Text for Users Attempting to Log On | Enable to enter a text message that displays to users during
logon. Note: Supports Windows 10 version 1709 and
later. |
| Message Title for Users Attempting to Log On | Enable to enter the title for a text message that displays to users
during logon. Note: Supports Windows 10 version 1709
and later. |
| Smart Card Removal Behavior | Specify the behavior when the smart card is removed for a logged-on
user. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Require Client to Always Digitally Sign Communications | Enable to require packet signing by the SMB client component. Note: Supports Windows 10 version 1809 and
later. |
| Require Client to Digitally Sign Communications if Server Agrees | Enable to require SMB client attempts to negotiate SMB packet
signing. Note: Supports Windows 10 version 1803 and
later. |
| Prevent Clients from Sending Unencrypted Passwords to Third-Party SMB Providers | Enable to allow the SMB redirector to send plain text passwords to
Non-Microsoft SMB servers that do not support encryption during
authentication. Note: Supports Windows 10 version
1803 and later. |
| Require Server Digitally Signing Communication Always | Enable to require packet signing by the SMB server component. Note: Supports Windows 10 version 1803 and
later. |
| Digitally Sign Communications if Client Agrees | Determines whether the SMB server negotiates SMB packet signing with
clients that request it. Note: Supports Windows 10
version 1803 and later. |
| Prevent Anonymous Enumeration of SAM Accounts and Shares | Enable to prevent anonymous enumeration of SAM accounts and shares.
Note: Supports Windows 10 version 1803 and
later. |
| Restrict Anonymous Access to Named Pipes and Shares | Enable to prevent anonymous access to named pipes and network
shares. Note: Supports Windows 10 version 1803 and
later. |
| Restrict Clients Allowed to Make Remote Calls to SAM | Enable to restrict remote connections to SAM. Enter a security
descriptor to configure the setting. Note: Supports
Windows 10 version 1709 and later. |
| Allow Local System to Use Computer Identity for NTLM | This configuration allows Local System services that use Negotiate to
use the computer identity when reverting to NTLM authentication. Note: Supports Windows 10 version 1809 and
later. |
| Allow PKU2U Authentication Requests | Enables PKU2U authentication requests for the computer to use online
identities. Note: Supports Windows 10 version 1709
and later. |
| LAN Manager Authentication Level | Configure which challenge-response authentication protocol to use for
network logon. Choose from:
Note: Supports Windows 10 version 1803 and
later. |
| Minimum Session Security for NTLM SSP Based Clients | Configure the minimum session security for NTLM SSP based clients.
Choose from:
Note: Supports Windows 10 version 1803 and
later. |
| Add Remote Server Exceptions for NTLM Authentication | Enable to create an exception list of remote servers to which clients
are allowed to use NTLM authentication. Note: Supports
Windows 10 version 1803 and later. |
| Standard User Elevation Prompt Behavior | Configure the behaviour of elevation prompt for standard users. Choose
from:
Note: Supports Windows 10 version 1709 and
later. |
| Administrator Elevation Prompt Behavior | Configure the behaviour of elevation prompt for Administrators. Choose
from:
Note: Supports Windows 10 version 1709 and
later. |
| Detect Application Installations and Prompt for Elevation | Enable to prompt users to enter an administrative username and password
when application installation requires elevated of privileges. Note: Supports Windows 10 version 1709 and
later. |
| Only Allow UI Access Applications for Secure Locations | Enable to allow applications UI access only in a secure location in the
file system. Note: Supports Windows 10 version 1709 and
later. |
| Require Admin Approval Mode for Administrators | Controls the behavior of all User Account Control (UAC) policy settings
for the computer. Note: Supports Windows 10 version
1709 and later. |
| Switch to the Secure Desktop when Prompting for Elevation | Enable to switch to a secure desktop when prompted for elevation. Note: Supports Windows 10 version 1709 and
later. |
| Virtualize File and Registry Write Failures to per User Locations | Enable to redirect application write failures at run time to defined
user locations for file system and registry. Note: Supports Windows 10 version 1709 and later. |
Settings
| Configuration | Description |
|---|---|
| Audit Credential Validation | Allow auditing of events generated by validation tests on user account
logon credentials. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Security Group Management | Allow auditing of events generated by changes to security groups. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Application Group Management | Allow auditing of events generated by changes to application groups.
The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit User Account Management | Allow auditing of events generated by changes to user accounts. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit PNP Activity | Allow auditing when plug and play detects an external device. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Process Creation | Allow auditing of events generated when a process is created or
started. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Account Lockout | Allow auditing of events generated by a failed attempt to log on to a
locked-out account. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Group Membership | Allow auditing of the group membership information in the user's logon
token. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Logoff/ Audit Logon | Audit events generated by logon/ logoff session. The available options
are:
Note: Supports Windows 10 version 1803 and
later.
|
| Audit Other Logon/ Logoff Events | Audit other logon/ logoff related events. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Special Logon | Audit special logon events such as use of special logon or logon by a
member of special group. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Detailed File Share | Audit detailed information about the permissions used to grant or deny
access to files and folders on a shared folder. The available options
are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Other Object Access Events | Audit events generated by the management of task scheduler jobs or COM+
objects. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Removable Storage | Audit user attempts to access file on a removable storage device. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Policy Change | Audit changes in the security audit policy settings. The available
options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Authentication Policy Change | Audit events generated by changes to the authentication policy. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit MPSSVC Rule Level Policy Change | Audit events generated by changes in the policy rules used by Microsoft
Protection Service (MPSSVC) used by Windows Firewall. The available options
are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Other Policy Change Events | Audit events generated by other security policy changes such as Trusted
Platform Module (TPM) configuration changes. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Sensitive Privilege Use | Audit events generated when sensitive privileges are used. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit IPSec Driver | Audit events generated by IPSec filter driver such as start-up and
shutdown of IPSec services. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Other System Events | Audit other system events such as start-up and shutdown of Windows. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Security State Change | Audit events generated by changes in the security state of the
computer. The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit Security System Extension | Audit events related to security system extension services. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Audit System Integrity | Audit events that violate the integrity of the security of the system.
The available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Disable One Settings Downloads | Enable to prevent Windows to connect with OneSettings service. Note: Supports Windows 11 version 21H2 and
later. |
| Enable One Settings Auditing | Enable to audit Windows attempts to connect with OneSettings
service. Note: Supports Windows 11 version 21H2 and
later. |
| Enable App Installer | Enable to allow standard users to access Windows Package Manager. Note: Supports Windows 11 version 21H2 and
later. |
| Enable Experimental Features | Enable to allow users to access experimental features in the Windows
Package Manager. Note: Supports Windows 11 version 21H2
and later. |
| Enable Hash Override | Enable to allow users to override the SHA256 security validation in
Windows Package Manager. Note: Supports Windows 11
version 21H2 and later. |
| Enable MS App Installer Protocol | Enable to allow users to install packages from a website using
ms-appinstaller protocol. Note: Supports Windows 11
version 21H2 and later. |
| Control Event Log Behavior | Controls the event log behavior when log file reaches the maximum
size. Note: Supports Windows 10 version 1703 and
later. |
| Maximum Application Log File Size | Specify the maximum application log file size from 1024 KB to
2147483647 KB. Note: Supports Windows 10 version 1703
and later. |
| Maximum Security Log File Size | Specify the maximum security log file size from 20480 KB to 2147483647
KB. Note: Supports Windows 10 version 1703 and
later. |
| Maximum System Log File Size | Specify the maximum system log file size from 1024 KB to 2147483647
KB. Note: Supports Windows 10 version 1703 and
later. |
| Turn Off Data Execution Prevention for Explorer | Disables data execution prevention to allow some legacy plug-in
applications to function without terminating Explorer. Note: Supports Windows 10 version 1803 and
later. |
| Turn Off Heap Termination On Corruption | Disables heap termination on corruption to allow some legacy plug-in
application to function without terminating Explorer. Note: Supports Windows 10 version 1703 and
later. |
| Register Spooler Remote RPC End Point | Enable to allow print spooler to accept client connections. Note: Supports Windows 10 version 2004 and
later. |
| Configure Redirection Guard Policy | Enable to configure Redirection Guard policy for the print
spooler. Note: Supports Windows 11 version 22H2 and
later. |
| Configure RPC Connection Policy | Enable to allow protocol settings to use outgoing RPC connections to a
remote print spooler. Note: Supports Windows 11 version
22H2 and later. |
| Configure RPC Listener Policy | Enable to configure protocols of incoming RPC connections to the print
spooler. Note: Supports Windows 11 version 22H2 and
later. |
| Configure RPC TCP Port | Enable to configure port used for RPC over TCP for incoming connections
to the print spooler. Note: Supports Windows 11 version
22H2 and later. |
| Point and Print Restrictions | Enable to configure the client Point and Print behavior. Note: Supports Windows 10 version 1703 and
later. |
| Disable User Installs | Enable to allow users to configure user installs. Choose from following
options:
Note: Supports Windows 10 version 2004 and
later. |
| Allow Lockdown Browse | Enable to allow users to search of installation files during
installations. Note: Supports Windows 10 version
2004 and later. |
System
| Configuration | Description |
|---|---|
| Disable Password Reveal | Configure the display of the password reveal button. Note: Supports Windows 10 version 1703 and
later. |
| Enumerate Administrators | Enable to display administrator accounts when a user attempts to
elevate a running application. Note: Supports Windows
10 version 1703 and later. |
| No Local Password Reset Questions | Enable to prevent local users from setting up and using security
questions to reset their passwords. Note: Supports
Windows 10 version 2004 and later. |
| CSE Registry | Enable to specify the timing for updating registry policies. The
available options include:
Note: Supports Windows 10 version 2004 and
later. |
| Enable CDP | Enable to allow Windows devices to participate in cross-device
experiences. Note: Supports Windows 10 version 2004
and later. |
| Disable Background Policy | Enable to prevent Group Policy from being updated when the computer is
in use. You must restart the device for the configuration to apply. Note: Supports Windows 10 version 2004 and
later. |
| Auto Admin Logon | Enable to allow automatic Administrator logon. Note: Supports Windows 10 version 2004 and
later. |
| Safe DLL Search | Enable to allow safe DLL search mode. Note: Supports Windows 10 version 2004 and later. |
| Screen Saver Grace Period | Enter the time (in seconds) before the screen saver period
expires. Note: Supports Windows 10 version 2004 and
later. |
| Warning Level | Select the threshold for the security event log at which the system
generates a warning. The available options are:
Note: Supports Windows 10 version 2004 and
later. |
| Require Password when Computer Wakes on Battery | Enable to prompt the user for a password when the system resumes from
sleep while on battery. Note: Supports Windows 10
version 1703 and later. |
| Require Password when Computer Wakes Plugged In | Enable to prompt the user for a password when the system resumes from
sleep while plugged in. Note: Supports Windows 10
version 1703 and later. |
| AC Connectivity in Standby | Enable to allow network connectivity during connected-standby (plugged
in).
Note: Supports Windows 10 version 2004 and
later. |
| DC Connectivity in Standby | Enable to allow applications to prevent automatic sleep (on
battery).
Note: Supports Windows 10 version 2004 and
later. |
| Configure Xbox Accessory Management Service Startup Mode | Configure the Xbox Accessory Management service startup mode. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Configure Xbox Live Auth Manager Service Startup Mode | Configure the Xbox Live Auth Manager service startup mode. The
available options are:
Note: Supports Windows 10 version 1803 and
later. |
| Configure Xbox Live Game Save Service Startup Mode | Configure the Xbox Live Game Save service startup mode. The available
options are:
Note: Supports Windows 10 version 1803 and
later. |
| Configure Xbox Live Networking Service Startup Mode | Configure the Xbox Live Networking service startup mode. The available
options are:
Note: Supports Windows 10 version 1803 and
later. |
| Access Credential Manager as Trusted Caller | Enable to add user accounts or groups that should have access to
Credential Manager as trusted callers during backup or restore
operations. Note: Supports Windows 10 version 1803
and later. |
| Access from Network | Enable to add user accounts or groups that are allowed to connect to
the computer over the network. Remote Desktop services are not affected by
this user right. Note: Supports Windows 10 version 1803
and later. |
| Act as Part of the Operating System | Enable to add user accounts or groups that can impersonate any user
without authentication. Note: Supports Windows 10
version 1803 and later. |
| Allow Local Log On | Enable to add user accounts or groups that can log on to the
computer. Note: Supports Windows 10 version 1803
and later. |
| Backup Files and Directories | Enable to add user accounts or groups that can backup files and
directories. Note: Supports Windows 10 version 1803
and later. |
| Change System Time | Enable to add user accounts or groups that can change the time and date
on the internal clock of the computer. Note: Supports
Windows 10 version 1803 and later. |
| Create Global Objects | Enable to allow user accounts or groups to create global objects
accessible to all sessions. Note: Supports Windows 10
version 1803 and later. |
| Create Page File | Enable to allow user accounts or groups to create and change the page
file size. Note: Supports Windows 10 version 1803 and
later. |
| Create Permanent Shared Objects | Enable to allow user accounts or groups to create a shared directory
object using the manager. Note: Supports Windows 10
version 1803 and later. |
| Create Symbolic Links | Enable to allow user accounts or groups to create a symbolic link from
the computer the user is logged on. Note: Supports
Windows 10 version 1803 and later. |
| Create Token | Enable to allow user accounts or groups to create token used to get
access to local resources when the process uses an internal API. Note: Supports Windows 10 version 1803 and
later. |
| Deny Access from Network | Enable to prevent users from accessing a computer over the
network. Note: Supports Windows 10 version 1803 and
later. |
| Deny Remote Desktop Services Log On | Enable to prevent user accounts or groups from logging on as a Remote
Desktop Services client. Note: Supports Windows 10
version 1803 and later. |
| Enable Delegation | Enable to allow users to set the Trusted for Delegation setting on the
computer. Note: Supports Windows 10 version 1803
and later. |
| Generate Security Audits | Enable to allow users to generate security audit logs. Note: Supports Windows 10 version 1803 and
later. |
| Impersonate Client | Enable to allow users permission to impersonate a client. Note: Supports Windows 10 version 1803 and
later. |
| Increase Scheduling Priority | Enable to allow users with Write Property access to increase the
execution priority of the process. Note: Supports
Windows 10 version 1803 and later. |
| Load Unload Device Drivers | Enable to allow users to dynamically load and unload device drivers or
other code in kernel mode. Note: This do not apply to
Plug and Play device drivers. Note: Supports
Windows 10 version 1803 and later. |
| Lock Memory | Enable to determine which user accounts can use a process to keep data
in physical memory, preventing the system from paging the data to virtual
memory on disk. Note: Supports Windows 10 version 1803
and later. |
| Manage Auditing and Security Log | Enable to determine which user can specify object access auditing
options for individual resources. You can view the audited events in the
security log of the Event Viewer. Note: Supports
Windows 10 version 1803 and later. |
| Modify Firmware Environment | Enable to determine who can modify the firmware environment
values. Note: Supports Windows 10 version 1803 and
later. |
| Manage Volume | Enable to allow users and groups to run maintenance tasks on a
volume. Note: Supports Windows 10 version 1803 and
later. |
| Modify Object Label | Enable to allow users accounts to modify the integrity label of objects
such as files, registry keys or processes owned by other users. Note: Supports Windows 10 version 1803 and
later. |
| Profile Single Process | Enable to allow users to use performance monitoring tools to monitor
the performance of system processes. Note: Supports
Windows 10 version 1803 and later. |
| Restore Files and Directories | Enable to allow users to bypass file, directory, registry and other
objects permissions when restoring backed up files and directories. Note: Supports Windows 10 version 1803 and
later. |
| Take Ownership | Enable to allow users take ownership of securable object in the system
including Active Directory objects, files and folders, printers, registry
keys, processes, and threads. Note: Supports Windows 10
version 1803 and later. |
| Enable Transcripting | Enable to allow capturing the input and output of Windows PowerShell
commands into text-based transcripts. Note: Supports
Windows 10 version 2004 and later. |
| Turn On Power Shell Script Block Logging | Enable to allow logging of all PowerShell script input to the
Microsoft-Windows-PowerShell/Operational event log. Note: Supports Windows 10 version 1803 and
later. |