# Intune Endpoint Hardening - [2. Local Policies](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies.md): 2. Local Policies - [2.2 User Rights Assignment](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment.md): 2.2 User Rights Assignment - [2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.1-l1-ensure-access-credential-manager-as-a-trusted-caller-is-set-to-no-one-automated.md): 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated) - [2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.2-l1-ensure-access-this-computer-from-the-network-is-set-to-administrators-remote-desktop.md): 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' (Automated) - [2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.3-l1-ensure-act-as-part-of-the-operating-system-is-set-to-no-one-automated.md): 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Automated) - [\*2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, N](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.4-l1-ensure-adjust-memory-quotas-for-a-process-is-set-to-administrators-local-service-n.md): 2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' (Automated) - [2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.5-l1-ensure-allow-log-on-locally-is-set-to-administrators-users-automated.md): 2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Automated) - [\*2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.6-l1-ensure-allow-log-on-through-remote-desktop-services-is-set-to-administrators-remote.md): 2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (Automated) - [2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.7-l1-ensure-back-up-files-and-directories-is-set-to-administrators-automated.md): 2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Automated) - [2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.8-l1-ensure-change-the-system-time-is-set-to-administrators-local-service-automated.md): 2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated) - [2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Automate](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.9-l1-ensure-change-the-time-zone-is-set-to-administrators-local-service-users-automate.md): 2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Automated) - [2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.10-l1-ensure-create-a-pagefile-is-set-to-administrators-automated.md): 2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Automated) - [2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.11-l1-ensure-create-a-token-object-is-set-to-no-one-automated.md): 2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Automated) - [2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVIC](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.12-l1-ensure-create-global-objects-is-set-to-administrators-local-service-network-servic.md): 2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (Automated) - [2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.13-l1-ensure-create-permanent-shared-objects-is-set-to-no-one-automated.md): 2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Automated) - [\*2.2.14 (L1) Configure 'Create symbolic links' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.14-l1-configure-create-symbolic-links-automated.md): 2.2.14 (L1) Configure 'Create symbolic links' (Automated) - [2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.15-l1-ensure-debug-programs-is-set-to-administrators-automated.md): 2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Automated) - [2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local accoun](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.16-l1-ensure-deny-access-to-this-computer-from-the-network-to-include-guests-local-accoun.md): 2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' (Automated) - [2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.17-l1-ensure-deny-log-on-as-a-batch-job-to-include-guests-automated.md): 2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Automated) - [\*2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.18-l1-ensure-deny-log-on-as-a-service-to-include-guests-automated.md): 2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Automated) - [2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.19-l1-ensure-deny-log-on-locally-to-include-guests-automated.md): 2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Automated) - [2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.20-l1-ensure-deny-log-on-through-remote-desktop-services-to-include-guests-local-account.md): 2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' (Automated) - [2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No O](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.21-l1-ensure-enable-computer-and-user-accounts-to-be-trusted-for-delegation-is-set-to-no-o.md): 2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (Automated) - [2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.22-l1-ensure-force-shutdown-from-a-remote-system-is-set-to-administrators-automated.md): 2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated) - [2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.23-l1-ensure-generate-security-audits-is-set-to-local-service-network-service-automated.md): 2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated) - [2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SER](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.24-l1-ensure-impersonate-a-client-after-authentication-is-set-to-administrators-local-ser.md): 2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (Automated) - [2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.25-l1-ensure-increase-scheduling-priority-is-set-to-administrators-window-manager-window.md): 2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' (Automated) - [2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.26-l1-ensure-load-and-unload-device-drivers-is-set-to-administrators-automated.md): 2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated) - [2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.27-l1-ensure-lock-pages-in-memory-is-set-to-no-one-automated.md): 2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Automated) - [2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.28-l2-ensure-log-on-as-a-batch-job-is-set-to-administrators-automated.md): 2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Automated) - [\*2.2.29 (L2) Configure 'Log on as a service' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.29-l2-configure-log-on-as-a-service-automated.md): 2.2.29 (L2) Configure 'Log on as a service' (Automated) - [2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.30-l1-ensure-manage-auditing-and-security-log-is-set-to-administrators-automated.md): 2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated) - [2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.31-l1-ensure-modify-an-object-label-is-set-to-no-one-automated.md): 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Automated) - [2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.32-l1-ensure-modify-firmware-environment-values-is-set-to-administrators-automated.md): 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated) - [2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.33-l1-ensure-perform-volume-maintenance-tasks-is-set-to-administrators-automated.md): 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated) - [2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.34-l1-ensure-profile-single-process-is-set-to-administrators-automated.md): 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Automated) - [2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHos](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.35-l1-ensure-profile-system-performance-is-set-to-administrators-nt-service-wdiservicehos.md): 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' (Automated) - [2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Auto](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.36-l1-ensure-replace-a-process-level-token-is-set-to-local-service-network-service-auto.md): 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated) - [2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.37-l1-ensure-restore-files-and-directories-is-set-to-administrators-automated.md): 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Automated) - [2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.38-l1-ensure-shut-down-the-system-is-set-to-administrators-users-automated.md): 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Automated) - [2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.2-user-rights-assignment/2.2.39-l1-ensure-take-ownership-of-files-or-other-objects-is-set-to-administrators-automated.md): 2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated) - [2.3 Security Options](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options.md): 2.3 Security Options - [2.3.1 Accounts](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts.md): 2.3.1 Accounts - [2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.1-l1-ensure-accounts-block-microsoft-accounts-is-set-to-users-cant-add-or-log-on-with.md): 2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' (Automated) - [2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.2-l1-ensure-accounts-guest-account-status-is-set-to-disabled-automated.md): 2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated) - [2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.3-l1-ensure-accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only-is.md): 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' (Automated) - [2.3.1.4 (L1) Configure 'Accounts: Rename administrator account' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.4-l1-configure-accounts-rename-administrator-account-automated.md): 2.3.1.4 (L1) Configure 'Accounts: Rename administrator account' (Automated) - [2.3.1.5 (L1) Configure 'Accounts: Rename guest account' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.1-accounts/2.3.1.5-l1-configure-accounts-rename-guest-account-automated.md): 2.3.1.5 (L1) Configure 'Accounts: Rename guest account' (Automated) - [2.3.2 Audit](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.2-audit.md): 2.3.2 Audit - [\*2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to ov](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.2-audit/2.3.2.1-l1-ensure-audit-force-audit-policy-subcategory-settings-windows-vista-or-later-to-ov.md): 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' (Automated) - [\*2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.2-audit/2.3.2.2-l1-ensure-audit-shut-down-system-immediately-if-unable-to-log-security-audits-is-set.md): 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' (Automated) - [2.3.3 DCOM](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.3-dcom.md): 2.3.3 DCOM - [2.3.4 Devices](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.4-devices.md): 2.3.4 Devices - [2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrator](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.4-devices/2.3.4.1-l1-ensure-devices-allowed-to-format-and-eject-removable-media-is-set-to-administrator.md): 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' (Automated) - [2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (A](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.4-devices/2.3.4.2-l2-ensure-devices-prevent-users-from-installing-printer-drivers-is-set-to-enabled-a.md): 2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (Automated) - [2.3.5 Domain controller](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.5-domain-controller.md): 2.3.5 Domain controller - [2.3.6 Domain member](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member.md): 2.3.6 Domain member - [\*2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.1-l1-ensure-domain-member-digitally-encrypt-or-sign-secure-channel-data-always-is-set.md): 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' (Automated) - [\*2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.2-l1-ensure-domain-member-digitally-encrypt-secure-channel-data-when-possible-is-set.md): 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' (Automated)) - [\*2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.3-l1-ensure-domain-member-digitally-sign-secure-channel-data-when-possible-is-set-to.md): 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' (Automated) - [\*2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.4-l1-ensure-domain-member-disable-machine-account-password-changes-is-set-to-disabled.md): 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' (Automated - [\*2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer d](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.5-l1-ensure-domain-member-maximum-machine-account-password-age-is-set-to-30-or-fewer-d.md): 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' (Automated) - [\*2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.6-domain-member/2.3.6.6-l1-ensure-domain-member-require-strong-windows-2000-or-later-session-key-is-set-to.md): 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' (Automated) - [2.3.7 Interactive logon](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon.md): 2.3.7 Interactive logon - [2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automate](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.1-l1-ensure-interactive-logon-do-not-require-ctrl+alt+del-is-set-to-disabled-automate.md): 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automated) - [2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automate](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.2-l1-ensure-interactive-logon-dont-display-last-signed-in-is-set-to-enabled-automate.md): 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automated) - [2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer i](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.3-bl-ensure-interactive-logon-machine-account-lockout-threshold-is-set-to-10-or-fewer-i.md): 2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' (Automated) - [2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.4-l1-ensure-interactive-logon-machine-inactivity-limit-is-set-to-900-or-fewer-second-s.md): 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' (Automated) - [2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.5-l1-configure-interactive-logon-message-text-for-users-attempting-to-log-on-automated.md): 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Automated) - [2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Automated](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.6-l1-configure-interactive-logon-message-title-for-users-attempting-to-log-on-automated.md): 2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Automated) - [\*2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain control](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.7-l2-ensure-interactive-logon-number-of-previous-logons-to-cache-in-case-domain-control.md): 2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (Automated) - [\*2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set t](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.8-l1-ensure-interactive-logon-prompt-user-to-change-password-before-expiration-is-set-t.md): 2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' (Automated) - [2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' o](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.7-interactive-logon/2.3.7.9-l1-ensure-interactive-logon-smart-card-removal-behavior-is-set-to-lock-workstation-o.md): 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher (Automated) - [2.3.8 Microsoft network client](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client.md): 2.3.8 Microsoft network client - [2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'E](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client/2.3.8.1-l1-ensure-microsoft-network-client-digitally-sign-communications-always-is-set-to-e.md): 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' (Automated) - [2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client/2.3.8.2-l1-ensure-microsoft-network-client-digitally-sign-communications-if-server-agrees-is.md): 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' (Automated) - [2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.8-microsoft-network-client/2.3.8.3-l1-ensure-microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md): 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' (Automated) - [2.3.9 Microsoft network server](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server.md): 2.3.9 Microsoft network server - [\*2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending sess](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.1-l1-ensure-microsoft-network-server-amount-of-idle-time-required-before-suspending-sess.md): 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' (Automated) - [2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'E](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.2-l1-ensure-microsoft-network-server-digitally-sign-communications-always-is-set-to-e.md): 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' (Automated) - [2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.3-l1-ensure-microsoft-network-server-digitally-sign-communications-if-client-agrees-is.md): 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' (Automated) - [2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set t](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.4-l1-ensure-microsoft-network-server-disconnect-clients-when-logon-hours-expire-is-set-t.md): 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' (Automated) - [\*2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to](https://intune.everything365.online/intune-endpoint-hardening/2.-local-policies/2.3-security-options/2.3.9-microsoft-network-server/2.3.9.5-l1-ensure-microsoft-network-server-server-spn-target-name-validation-level-is-set-to.md): 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (Automated) - [Account Protection](https://intune.everything365.online/intune-endpoint-hardening/account-protection.md): Account Protection - [Enforce password history](https://intune.everything365.online/intune-endpoint-hardening/account-protection/enforce-password-history.md): DevicePasswordHistory - [Ensure Maximum password age](https://intune.everything365.online/intune-endpoint-hardening/account-protection/ensure-maximum-password-age.md): DevicePasswordExpiration - [Ensure Minimum password age](https://intune.everything365.online/intune-endpoint-hardening/account-protection/ensure-minimum-password-age.md): MinimumPasswordAge - [Ensure Minimum password length](https://intune.everything365.online/intune-endpoint-hardening/account-protection/ensure-minimum-password-length.md): MinDevicePasswordLength - [Ensure Password must meet complexity requirements](https://intune.everything365.online/intune-endpoint-hardening/account-protection/ensure-password-must-meet-complexity-requirements.md): MinDevicePasswordComplexCharacters - [\*Ensure Relax minimum password length limits](https://intune.everything365.online/intune-endpoint-hardening/account-protection/ensure-relax-minimum-password-length-limits.md): Not Available - [\*Store passwords using reversible encryption](https://intune.everything365.online/intune-endpoint-hardening/account-protection/store-passwords-using-reversible-encryption.md): ClearTextPassword - [Allow Simple Device Password](https://intune.everything365.online/intune-endpoint-hardening/account-protection/allow-simple-device-password.md): AllowSimpleDevicePassword - [Alphanumeric Device Password Required](https://intune.everything365.online/intune-endpoint-hardening/account-protection/alphanumeric-device-password-required.md): AlphanumericDevicePasswordRequired - [Number of sign-in failures before wiping device](https://intune.everything365.online/intune-endpoint-hardening/account-protection/number-of-sign-in-failures-before-wiping-device.md): MaxDevicePasswordFailedAttempts - [Device Lock Enabled](https://intune.everything365.online/intune-endpoint-hardening/account-protection/device-lock-enabled.md): DevicePasswordEnabled - [\*Account lockout duration](https://intune.everything365.online/intune-endpoint-hardening/account-protection/account-lockout-duration.md): AccountLockoutPolicy - [\*Account lockout threshold](https://intune.everything365.online/intune-endpoint-hardening/account-protection/account-lockout-threshold.md): AccountLockoutPolicy - [\*Allow Administrator account lockout](https://intune.everything365.online/intune-endpoint-hardening/account-protection/allow-administrator-account-lockout.md): AllowAdministratorLockout - [\*Reset account lockout counter after](https://intune.everything365.online/intune-endpoint-hardening/account-protection/reset-account-lockout-counter-after.md): AllowAdministratorLockout - [Auditing and Logs](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs.md): Auditing and Logs - [AccountLogon\_AuditOtherAccountLogonEvents](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogon_auditotheraccountlogonevents.md): AccountLogon\_AuditOtherAccountLogonEvents - [PolicyChange\_AuditPolicyChange](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/policychange_auditpolicychange.md): PolicyChange\_AuditPolicyChange - [PolicyChange\_AuditAuthenticationPolicyChange](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/policychange_auditauthenticationpolicychange.md): PolicyChange\_AuditAuthenticationPolicyChange - [PolicyChange\_AuditAuthorizationPolicyChange](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/policychange_auditauthorizationpolicychange.md): PolicyChange\_AuditAuthorizationPolicyChange - [AccountLogon\_AuditCredentialValidation](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogon_auditcredentialvalidation.md): AccountLogon\_AuditCredentialValidation - [AccountLogonLogoff\_AuditGroupMembership](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditgroupmembership.md): AccountLogonLogoff\_AuditGroupMembership - [AccountLogonLogoff\_AuditLogoff](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditlogoff.md): AccountLogonLogoff\_AuditLogoff - [AccountLogonLogoff\_AuditLogon](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditlogon.md): AccountLogonLogoff\_AuditLogon - [PolicyChange\_AuditMPSSVCRuleLevelPolicyChange](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/policychange_auditmpssvcrulelevelpolicychange.md): PolicyChange\_AuditMPSSVCRuleLevelPolicyChange - [AccountLogonLogoff\_AuditOtherLogonLogoffEvents](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditotherlogonlogoffevents.md): AccountLogonLogoff\_AuditOtherLogonLogoffEvents - [PolicyChange\_AuditOtherPolicyChangeEvents](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/policychange_auditotherpolicychangeevents.md): PolicyChange\_AuditOtherPolicyChangeEvents - [DetailedTracking\_AuditPNPActivity](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/detailedtracking_auditpnpactivity.md): DetailedTracking\_AuditPNPActivity - [DetailedTracking\_AuditProcessCreation](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/detailedtracking_auditprocesscreation.md): DetailedTracking\_AuditProcessCreation - [AccountManagement\_AuditSecurityGroupManagement](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountmanagement_auditsecuritygroupmanagement.md): AccountManagement\_AuditSecurityGroupManagement - [PrivilegeUse\_AuditSensitivePrivilegeUse](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/privilegeuse_auditsensitiveprivilegeuse.md): PrivilegeUse\_AuditSensitivePrivilegeUse - [AccountLogonLogoff\_AuditSpecialLogon](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountlogonlogoff_auditspeciallogon.md): AccountLogonLogoff\_AuditSpecialLogon - [AccountManagement\_AuditUserAccountManagement](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/accountmanagement_audituseraccountmanagement.md): AccountManagement\_AuditUserAccountManagement - [SpecifyMaximumFileSizeApplicationLog](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/specifymaximumfilesizeapplicationlog.md): SpecifyMaximumFileSizeApplicationLog - [SpecifyMaximumFileSizeSecurityLog](https://intune.everything365.online/intune-endpoint-hardening/auditing-and-logs/specifymaximumfilesizesecuritylog.md): SpecifyMaximumFileSizeSecurityLog - [Identification and Authentication](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication.md): Identification and Authentication - [Accounts\_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication/accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly.md): Accounts\_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - [AllowBasicAuthentication\_Client](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication/allowbasicauthentication_client.md): AllowBasicAuthentication\_Client - [AllowBasicAuthentication\_Service](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication/allowbasicauthentication_service.md): AllowBasicAuthentication\_Service - [DisallowDigestAuthentication](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication/disallowdigestauthentication.md): DisallowDigestAuthentication - [DisallowStoringOfRunAsCredentials](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication/disallowstoringofrunascredentials.md): DisallowStoringOfRunAsCredentials - [DoNotAllowPasswordSaving](https://intune.everything365.online/intune-endpoint-hardening/identification-and-authentication/donotallowpasswordsaving.md): DoNotAllowPasswordSaving - [17. Advanced Audit Policy Configuration](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration.md): 17. Advanced Audit Policy Configuration - [17.9 System](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system.md): 17.9 System - [17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.1-l1-ensure-audit-ipsec-driver-is-set-to-success-and-failure-automated.md): System\_AuditIPsecDriver - [17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.2-l1-ensure-audit-other-system-events-is-set-to-success-and-failure-automated.md): System\_AuditOtherSystemEvents - [17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.3-l1-ensure-audit-security-state-change-is-set-to-include-success-automated.md): System\_AuditSecurityStateChange - [17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.4-l1-ensure-audit-security-system-extension-is-set-to-include-success-automated.md): System\_AuditSecuritySystemExtension - [17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.9-system/17.9.5-l1-ensure-audit-system-integrity-is-set-to-success-and-failure-automated.md): System\_AuditSystemIntegrity - [17.6 Object Access](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access.md): Object Access - [17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.1-l1-ensure-audit-detailed-file-share-is-set-to-include-failure-automated.md): ObjectAccess\_AuditDetailedFileShare - [17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.2-l1-ensure-audit-file-share-is-set-to-success-and-failure-automated.md): ObjectAccess\_AuditFileShare - [17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.3-l1-ensure-audit-other-object-access-events-is-set-to-success-and-failure-automated.md): ObjectAccess\_AuditOtherObjectAccessEvents - [17.6.4 L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/17.-advanced-audit-policy-configuration/17.6-object-access/17.6.4-l1-ensure-audit-removable-storage-is-set-to-success-and-failure-automated.md): ObjectAccess\_AuditRemovableStorage - [18. Administrative Templates (Computer)](https://intune.everything365.online/intune-endpoint-hardening/18.-administrative-templates-computer.md): Administrative Templates (Computer) - [18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its max](https://intune.everything365.online/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.26.1.1-l1-ensure-application-control-event-log-behavior-when-the-log-file-reaches-its-max.md): 18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Automated) - [18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,76](https://intune.everything365.online/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.26.4.2-l1-ensure-system-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32-76.md): 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Automated) - [18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enab](https://intune.everything365.online/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.43.16-l1-ensure-configure-detection-for-potentially-unwanted-applications-is-set-to-enab.md): 18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' (Automated) - [18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' (Automated)](https://intune.everything365.online/intune-endpoint-hardening/18.-administrative-templates-computer/18.10.43.17-l1-ensure-turn-off-microsoft-defender-antivirus-is-set-to-disabled-automated.md): 18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' (Automated) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intune.everything365.online/intune-endpoint-hardening.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.