# Intune Endpoint Hardening - [2. Local Policies](/intune-endpoint-hardening/2.-local-policies.md): 2. Local Policies - [2.2 User Rights Assignment](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment.md): 2.2 User Rights Assignment - [2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.1-l1-ensure-access-credential-manager-as-a-trusted-caller-is-set-to-no-one-automated.md): 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated) - [2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.2-l1-ensure-access-this-computer-from-the-network-is-set-to-administrators-remote-desktop.md): 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' (Automated) - [2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.3-l1-ensure-act-as-part-of-the-operating-system-is-set-to-no-one-automated.md): 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Automated) - [\*2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, N](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.4-l1-ensure-adjust-memory-quotas-for-a-process-is-set-to-administrators-local-service-n.md): 2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' (Automated) - [2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.5-l1-ensure-allow-log-on-locally-is-set-to-administrators-users-automated.md): 2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Automated) - [\*2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.6-l1-ensure-allow-log-on-through-remote-desktop-services-is-set-to-administrators-remote.md): 2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (Automated) - [2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.7-l1-ensure-back-up-files-and-directories-is-set-to-administrators-automated.md): 2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Automated) - [2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.8-l1-ensure-change-the-system-time-is-set-to-administrators-local-service-automated.md): 2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated) - [2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Automate](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.9-l1-ensure-change-the-time-zone-is-set-to-administrators-local-service-users-automate.md): 2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Automated) - [2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.10-l1-ensure-create-a-pagefile-is-set-to-administrators-automated.md): 2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Automated) - [2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.11-l1-ensure-create-a-token-object-is-set-to-no-one-automated.md): 2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Automated) - [2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVIC](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.12-l1-ensure-create-global-objects-is-set-to-administrators-local-service-network-servic.md): 2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (Automated) - [2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.13-l1-ensure-create-permanent-shared-objects-is-set-to-no-one-automated.md): 2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Automated) - [\*2.2.14 (L1) Configure 'Create symbolic links' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.14-l1-configure-create-symbolic-links-automated.md): 2.2.14 (L1) Configure 'Create symbolic links' (Automated) - [2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.15-l1-ensure-debug-programs-is-set-to-administrators-automated.md): 2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Automated) - [2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local accoun](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.16-l1-ensure-deny-access-to-this-computer-from-the-network-to-include-guests-local-accoun.md): 2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' (Automated) - [2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.17-l1-ensure-deny-log-on-as-a-batch-job-to-include-guests-automated.md): 2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Automated) - [\*2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.18-l1-ensure-deny-log-on-as-a-service-to-include-guests-automated.md): 2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Automated) - [2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.19-l1-ensure-deny-log-on-locally-to-include-guests-automated.md): 2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Automated) - [2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.20-l1-ensure-deny-log-on-through-remote-desktop-services-to-include-guests-local-account.md): 2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' (Automated) - [2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No O](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.21-l1-ensure-enable-computer-and-user-accounts-to-be-trusted-for-delegation-is-set-to-no-o.md): 2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (Automated) - [2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.22-l1-ensure-force-shutdown-from-a-remote-system-is-set-to-administrators-automated.md): 2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated) - [2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.23-l1-ensure-generate-security-audits-is-set-to-local-service-network-service-automated.md): 2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated) - [2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SER](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.24-l1-ensure-impersonate-a-client-after-authentication-is-set-to-administrators-local-ser.md): 2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (Automated) - [2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.25-l1-ensure-increase-scheduling-priority-is-set-to-administrators-window-manager-window.md): 2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' (Automated) - [2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.26-l1-ensure-load-and-unload-device-drivers-is-set-to-administrators-automated.md): 2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated) - [2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.27-l1-ensure-lock-pages-in-memory-is-set-to-no-one-automated.md): 2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Automated) - [2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.28-l2-ensure-log-on-as-a-batch-job-is-set-to-administrators-automated.md): 2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Automated) - [\*2.2.29 (L2) Configure 'Log on as a service' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.29-l2-configure-log-on-as-a-service-automated.md): 2.2.29 (L2) Configure 'Log on as a service' (Automated) - [2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.30-l1-ensure-manage-auditing-and-security-log-is-set-to-administrators-automated.md): 2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated) - [2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.31-l1-ensure-modify-an-object-label-is-set-to-no-one-automated.md): 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Automated) - [2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.32-l1-ensure-modify-firmware-environment-values-is-set-to-administrators-automated.md): 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated) - [2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.33-l1-ensure-perform-volume-maintenance-tasks-is-set-to-administrators-automated.md): 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated) - [2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.34-l1-ensure-profile-single-process-is-set-to-administrators-automated.md): 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Automated) - [2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHos](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.35-l1-ensure-profile-system-performance-is-set-to-administrators-nt-service-wdiservicehos.md): 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' (Automated) - [2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Auto](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.36-l1-ensure-replace-a-process-level-token-is-set-to-local-service-network-service-auto.md): 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated) - [2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.37-l1-ensure-restore-files-and-directories-is-set-to-administrators-automated.md): 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Automated) - [2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.38-l1-ensure-shut-down-the-system-is-set-to-administrators-users-automated.md): 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Automated) - [2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated](/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.39-l1-ensure-take-ownership-of-files-or-other-objects-is-set-to-administrators-automated.md): 2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated) - [2.3 Security Options](/intune-endpoint-hardening/2.-local-policies/2.3-security-options.md): 2.3 Security Options - [2.3.1 Accounts](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts.md): 2.3.1 Accounts - [2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.1-l1-ensure-accounts-block-microsoft-accounts-is-set-to-users-cant-add-or-log-on-with.md): 2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' (Automated) - [2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.2-l1-ensure-accounts-guest-account-status-is-set-to-disabled-automated.md): 2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated) - [2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.3-l1-ensure-accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only-is.md): 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' (Automated) - [2.3.1.4 (L1) Configure 'Accounts: Rename administrator account' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.4-l1-configure-accounts-rename-administrator-account-automated.md): 2.3.1.4 (L1) Configure 'Accounts: Rename administrator account' (Automated) - [2.3.1.5 (L1) Configure 'Accounts: Rename guest account' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.5-l1-configure-accounts-rename-guest-account-automated.md): 2.3.1.5 (L1) Configure 'Accounts: Rename guest account' (Automated) - [2.3.2 Audit](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.2-audit.md): 2.3.2 Audit - [\*2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to ov](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.2-audit/2.3.2.1-l1-ensure-audit-force-audit-policy-subcategory-settings-windows-vista-or-later-to-ov.md): 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' (Automated) - [\*2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.2-audit/2.3.2.2-l1-ensure-audit-shut-down-system-immediately-if-unable-to-log-security-audits-is-set.md): 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' (Automated) - [2.3.3 DCOM](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.3-dcom.md): 2.3.3 DCOM - [2.3.4 Devices](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.4-devices.md): 2.3.4 Devices - [2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrator](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.4-devices/2.3.4.1-l1-ensure-devices-allowed-to-format-and-eject-removable-media-is-set-to-administrator.md): 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' (Automated) - [2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (A](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.4-devices/2.3.4.2-l2-ensure-devices-prevent-users-from-installing-printer-drivers-is-set-to-enabled-a.md): 2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (Automated) - [2.3.5 Domain controller](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.5-domain-controller.md): 2.3.5 Domain controller - [2.3.6 Domain member](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member.md): 2.3.6 Domain member - [\*2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.1-l1-ensure-domain-member-digitally-encrypt-or-sign-secure-channel-data-always-is-set.md): 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' (Automated) - [\*2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.2-l1-ensure-domain-member-digitally-encrypt-secure-channel-data-when-possible-is-set.md): 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' (Automated)) - [\*2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.3-l1-ensure-domain-member-digitally-sign-secure-channel-data-when-possible-is-set-to.md): 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' (Automated) - [\*2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.4-l1-ensure-domain-member-disable-machine-account-password-changes-is-set-to-disabled.md): 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' (Automated - [\*2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer d](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.5-l1-ensure-domain-member-maximum-machine-account-password-age-is-set-to-30-or-fewer-d.md): 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' (Automated) - [\*2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.6-l1-ensure-domain-member-require-strong-windows-2000-or-later-session-key-is-set-to.md): 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' (Automated) - [2.3.7 Interactive logon](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon.md): 2.3.7 Interactive logon - [2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automate](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.1-l1-ensure-interactive-logon-do-not-require-ctrl+alt+del-is-set-to-disabled-automate.md): 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automated) - [2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automate](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.2-l1-ensure-interactive-logon-dont-display-last-signed-in-is-set-to-enabled-automate.md): 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automated) - [2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer i](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.3-bl-ensure-interactive-logon-machine-account-lockout-threshold-is-set-to-10-or-fewer-i.md): 2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' (Automated) - [2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s)](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.4-l1-ensure-interactive-logon-machine-inactivity-limit-is-set-to-900-or-fewer-second-s.md): 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' (Automated) - [2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Automated)](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.5-l1-configure-interactive-logon-message-text-for-users-attempting-to-log-on-automated.md): 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Automated) - [2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Automated](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.6-l1-configure-interactive-logon-message-title-for-users-attempting-to-log-on-automated.md): 2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Automated) - [\*2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain control](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.7-l2-ensure-interactive-logon-number-of-previous-logons-to-cache-in-case-domain-control.md): 2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (Automated) - [\*2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set t](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.8-l1-ensure-interactive-logon-prompt-user-to-change-password-before-expiration-is-set-t.md): 2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' (Automated) - [2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' o](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.9-l1-ensure-interactive-logon-smart-card-removal-behavior-is-set-to-lock-workstation-o.md): 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher (Automated) - [2.3.8 Microsoft network client](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client.md): 2.3.8 Microsoft network client - [2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'E](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client/2.3.8.1-l1-ensure-microsoft-network-client-digitally-sign-communications-always-is-set-to-e.md): 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' (Automated) - [2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client/2.3.8.2-l1-ensure-microsoft-network-client-digitally-sign-communications-if-server-agrees-is.md): 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' (Automated) - [2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client/2.3.8.3-l1-ensure-microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md): 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' (Automated) - [2.3.9 Microsoft network server](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server.md): 2.3.9 Microsoft network server - [\*2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending sess](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.1-l1-ensure-microsoft-network-server-amount-of-idle-time-required-before-suspending-sess.md): 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' (Automated) - [2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'E](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.2-l1-ensure-microsoft-network-server-digitally-sign-communications-always-is-set-to-e.md): 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' (Automated) - [2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.3-l1-ensure-microsoft-network-server-digitally-sign-communications-if-client-agrees-is.md): 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' (Automated) - [2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set t](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.4-l1-ensure-microsoft-network-server-disconnect-clients-when-logon-hours-expire-is-set-t.md): 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' (Automated) - [\*2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to](/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.5-l1-ensure-microsoft-network-server-server-spn-target-name-validation-level-is-set-to.md): 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (Automated) - [Account Protection](/intune-endpoint-hardening/account-protection.md): Account Protection - [Enforce password history](/intune-endpoint-hardening/account-protection/enforce-password-history.md): DevicePasswordHistory - [Ensure Maximum password age](/intune-endpoint-hardening/account-protection/ensure-maximum-password-age.md): DevicePasswordExpiration - [Ensure Minimum password age](/intune-endpoint-hardening/account-protection/ensure-minimum-password-age.md): MinimumPasswordAge - [Ensure Minimum password length](/intune-endpoint-hardening/account-protection/ensure-minimum-password-length.md): MinDevicePasswordLength - [Ensure Password must meet complexity requirements](/intune-endpoint-hardening/account-protection/ensure-password-must-meet-complexity-requirements.md): MinDevicePasswordComplexCharacters - [\*Ensure Relax minimum password length limits](/intune-endpoint-hardening/account-protection/ensure-relax-minimum-password-length-limits.md): Not Available - [\*Store passwords using reversible encryption](/intune-endpoint-hardening/account-protection/store-passwords-using-reversible-encryption.md): ClearTextPassword - [Allow Simple Device Password](/intune-endpoint-hardening/account-protection/allow-simple-device-password.md): AllowSimpleDevicePassword - [Alphanumeric Device Password Required](/intune-endpoint-hardening/account-protection/alphanumeric-device-password-required.md): AlphanumericDevicePasswordRequired - [Number of sign-in failures before wiping device](/intune-endpoint-hardening/account-protection/number-of-sign-in-failures-before-wiping-device.md): MaxDevicePasswordFailedAttempts - [Device Lock Enabled](/intune-endpoint-hardening/account-protection/device-lock-enabled.md): DevicePasswordEnabled - [\*Account lockout duration](/intune-endpoint-hardening/account-protection/account-lockout-duration.md): AccountLockoutPolicy - [\*Account lockout threshold](/intune-endpoint-hardening/account-protection/account-lockout-threshold.md): AccountLockoutPolicy - [\*Allow Administrator account lockout](/intune-endpoint-hardening/account-protection/allow-administrator-account-lockout.md): AllowAdministratorLockout - [\*Reset account lockout counter after](/intune-endpoint-hardening/account-protection/reset-account-lockout-counter-after.md): AllowAdministratorLockout - [Auditing and Logs](/intune-endpoint-hardening/auditing-and-logs.md): Auditing and Logs - [AccountLogon\_AuditOtherAccountLogonEvents](/intune-endpoint-hardening/auditing-and-logs/accountlogon_auditotheraccountlogonevents.md): AccountLogon\_AuditOtherAccountLogonEvents - [PolicyChange\_AuditPolicyChange](/intune-endpoint-hardening/auditing-and-logs/policychange_auditpolicychange.md): PolicyChange\_AuditPolicyChange - [PolicyChange\_AuditAuthenticationPolicyChange](/intune-endpoint-hardening/auditing-and-logs/policychange_auditauthenticationpolicychange.md): PolicyChange\_AuditAuthenticationPolicyChange - [PolicyChange\_AuditAuthorizationPolicyChange](/intune-endpoint-hardening/auditing-and-logs/policychange_auditauthorizationpolicychange.md): PolicyChange\_AuditAuthorizationPolicyChange - [AccountLogon\_AuditCredentialValidation](/intune-endpoint-hardening/auditing-and-logs/accountlogon_auditcredentialvalidation.md): AccountLogon\_AuditCredentialValidation - [AccountLogonLogoff\_AuditGroupMembership](/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditgroupmembership.md): AccountLogonLogoff\_AuditGroupMembership - [AccountLogonLogoff\_AuditLogoff](/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditlogoff.md): AccountLogonLogoff\_AuditLogoff - [AccountLogonLogoff\_AuditLogon](/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditlogon.md): AccountLogonLogoff\_AuditLogon - [PolicyChange\_AuditMPSSVCRuleLevelPolicyChange](/intune-endpoint-hardening/auditing-and-logs/policychange_auditmpssvcrulelevelpolicychange.md): PolicyChange\_AuditMPSSVCRuleLevelPolicyChange - [AccountLogonLogoff\_AuditOtherLogonLogoffEvents](/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditotherlogonlogoffevents.md): AccountLogonLogoff\_AuditOtherLogonLogoffEvents - [PolicyChange\_AuditOtherPolicyChangeEvents](/intune-endpoint-hardening/auditing-and-logs/policychange_auditotherpolicychangeevents.md): PolicyChange\_AuditOtherPolicyChangeEvents - [DetailedTracking\_AuditPNPActivity](/intune-endpoint-hardening/auditing-and-logs/detailedtracking_auditpnpactivity.md): DetailedTracking\_AuditPNPActivity - [DetailedTracking\_AuditProcessCreation](/intune-endpoint-hardening/auditing-and-logs/detailedtracking_auditprocesscreation.md): DetailedTracking\_AuditProcessCreation - [AccountManagement\_AuditSecurityGroupManagement](/intune-endpoint-hardening/auditing-and-logs/accountmanagement_auditsecuritygroupmanagement.md): AccountManagement\_AuditSecurityGroupManagement - [PrivilegeUse\_AuditSensitivePrivilegeUse](/intune-endpoint-hardening/auditing-and-logs/privilegeuse_auditsensitiveprivilegeuse.md): PrivilegeUse\_AuditSensitivePrivilegeUse - [AccountLogonLogoff\_AuditSpecialLogon](/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditspeciallogon.md): AccountLogonLogoff\_AuditSpecialLogon - [AccountManagement\_AuditUserAccountManagement](/intune-endpoint-hardening/auditing-and-logs/accountmanagement_audituseraccountmanagement.md): AccountManagement\_AuditUserAccountManagement - [SpecifyMaximumFileSizeApplicationLog](/intune-endpoint-hardening/auditing-and-logs/specifymaximumfilesizeapplicationlog.md): SpecifyMaximumFileSizeApplicationLog - [SpecifyMaximumFileSizeSecurityLog](/intune-endpoint-hardening/auditing-and-logs/specifymaximumfilesizesecuritylog.md): SpecifyMaximumFileSizeSecurityLog - [Identification and Authentication](/intune-endpoint-hardening/identification-and-authentication.md): Identification and Authentication - [Accounts\_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](/intune-endpoint-hardening/identification-and-authentication/accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly.md): Accounts\_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - [AllowBasicAuthentication\_Client](/intune-endpoint-hardening/identification-and-authentication/allowbasicauthentication_client.md): AllowBasicAuthentication\_Client - [AllowBasicAuthentication\_Service](/intune-endpoint-hardening/identification-and-authentication/allowbasicauthentication_service.md): AllowBasicAuthentication\_Service - [DisallowDigestAuthentication](/intune-endpoint-hardening/identification-and-authentication/disallowdigestauthentication.md): DisallowDigestAuthentication - [DisallowStoringOfRunAsCredentials](/intune-endpoint-hardening/identification-and-authentication/disallowstoringofrunascredentials.md): DisallowStoringOfRunAsCredentials - [DoNotAllowPasswordSaving](/intune-endpoint-hardening/identification-and-authentication/donotallowpasswordsaving.md): DoNotAllowPasswordSaving - [17. Advanced Audit Policy Configuration](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration.md): 17. Advanced Audit Policy Configuration - [17.9 System](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system.md): 17.9 System - [17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.1-l1-ensure-audit-ipsec-driver-is-set-to-success-and-failure-automated.md): System\_AuditIPsecDriver - [17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.2-l1-ensure-audit-other-system-events-is-set-to-success-and-failure-automated.md): System\_AuditOtherSystemEvents - [17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.3-l1-ensure-audit-security-state-change-is-set-to-include-success-automated.md): System\_AuditSecurityStateChange - [17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.4-l1-ensure-audit-security-system-extension-is-set-to-include-success-automated.md): System\_AuditSecuritySystemExtension - [17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.5-l1-ensure-audit-system-integrity-is-set-to-success-and-failure-automated.md): System\_AuditSystemIntegrity - [17.6 Object Access](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access.md): Object Access - [17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.1-l1-ensure-audit-detailed-file-share-is-set-to-include-failure-automated.md): ObjectAccess\_AuditDetailedFileShare - [17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.2-l1-ensure-audit-file-share-is-set-to-success-and-failure-automated.md): ObjectAccess\_AuditFileShare - [17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.3-l1-ensure-audit-other-object-access-events-is-set-to-success-and-failure-automated.md): ObjectAccess\_AuditOtherObjectAccessEvents - [17.6.4 L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' (Automated)](/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.4-l1-ensure-audit-removable-storage-is-set-to-success-and-failure-automated.md): ObjectAccess\_AuditRemovableStorage - [18. Administrative Templates (Computer)](/intune-endpoint-hardening/18.-administrative-templates-computer.md): Administrative Templates (Computer) - [18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its max](/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.26.1.1-l1-ensure-application-control-event-log-behavior-when-the-log-file-reaches-its-max.md): 18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Automated) - [18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,76](/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.26.4.2-l1-ensure-system-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32-76.md): 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Automated) - [18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enab](/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.43.16-l1-ensure-configure-detection-for-potentially-unwanted-applications-is-set-to-enab.md): 18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' (Automated) - [18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' (Automated)](/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.43.17-l1-ensure-turn-off-microsoft-defender-antivirus-is-set-to-disabled-automated.md): 18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' (Automated)