Local Security Policies
Win - OIB - SC - Device Security - D - Local Security Policies - v3.0
The Layer 1 default. Hardens UAC behavior, NTLM session security, anonymous SAM access, SMB signing, and related local security options while keeping the built-in Administrator account enabled (the LAPS v3.1 policy rotates its password). Universally compatible across Windows 10 and Windows 11 — no 24H2+ dependency. The only meaningful difference from the (24H2+) v3.6 variant below is the Accounts Enable Administrator Account Status row, which is Enable here and Disable there.
| Name | Value |
| Basics | |
| Name | Win - OIB - SC - Device Security - D - Local Security Policies - v3.0 |
| Description | OIB Layer 1 default. Keeps the built-in Administrator account enabled. Universally compatible (pre-24H2 and 24H2+). |
| Profile type | Settings catalog |
| Platform supported | Windows 10 and later |
| Created | 09 August 2023 15:01:22 |
| Last modified | 05 December 2024 19:42:06 |
| Scope tags | Default |
Table 43. Basics - Win - OIB - SC - Device Security - D - Local Security Policies - v3.0
| Name | Value |
| Local Policies Security Options | |
| Accounts Enable Administrator Account Status | Enable |
| Accounts Enable Guest Account Status | Disable |
| Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only | Enabled |
| Interactive Logon Smart Card Removal Behavior | Lock Workstation |
| Microsoft Network Client Digitally Sign Communications Always | Enable |
| Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers | Disable |
| Microsoft Network Server Digitally Sign Communications Always | Enable |
| Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts | Enabled |
| Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares | Enabled |
| Network Access Restrict Anonymous Access To Named Pipes And Shares | Enable |
| Network Access Restrict Clients Allowed To Make Remote Calls To SAM | O:BAG:BAD:(A;;RC;;;BA) |
| Network Security Do Not Store LAN Manager Hash Value On Next Password Change | Enable |
| Network Security LAN Manager Authentication Level | Send NTLMv2 responses only. Refuse LM and NTLM |
| Network Security Minimum Session Security For NTLMSSP Based Clients | Require NTLM and 128-bit encryption |
| Network Security Minimum Session Security For NTLMSSP Based Servers | Require NTLM and 128-bit encryption |
| User Account Control Behavior Of The Elevation Prompt For Administrators | Prompt for consent on the secure desktop |
| User Account Control Behavior Of The Elevation Prompt For Standard Users | Prompt for credentials on the secure desktop |
| User Account Control Detect Application Installations And Prompt For Elevation | Enable |
| User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations | Enabled: Application runs with UIAccess integrity only if it resides in secure location. |
| User Account Control Run All Administrators In Admin Approval Mode | Enabled |
| User Account Control Switch To The Secure Desktop When Prompting For Elevation | Enabled |
| User Account Control Use Admin Approval Mode | Enable |
| User Account Control Virtualize File And Registry Write Failures To Per User Locations | Enabled |
Table 44. Settings - Win - OIB - SC - Device Security - D - Local Security Policies - v3.0
Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6
Optional advanced variant — uniform Win11 24H2+ fleets only, paired with (24H2+) LAPS
This is the (24H2+) variant that disables the built-in Administrator account. Must be paired with (24H2+) LAPS, which provisions a custom managed admin account to replace it. Deploying (24H2+) LSP without (24H2+) LAPS leaves devices with no local admin account at all — recovery requires WinRE console or a separate Intune policy to re-enable. See the matched-pair note in Chapter 12 → Layered Deployment Strategy.
| Name | Value |
| Basics | |
| Name | Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6 |
| Description | NOTE: For 24H2+ devices only. Disables built-in Administrator account. |
| Profile type | Settings catalog |
| Platform supported | Windows 10 and later |
| Created | 01 April 2025 15:02:22 |
| Last modified | 12 May 2025 14:28:34 |
| Scope tags | Default |
Table 43a. Basics - Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6
| Name | Value |
| Local Policies Security Options | |
| Accounts Enable Administrator Account Status | Disable |
| Accounts Enable Guest Account Status | Disable |
| Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only | Enabled |
| Interactive Logon Smart Card Removal Behavior | Lock Workstation |
| Microsoft Network Client Digitally Sign Communications Always | Enable |
| Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers | Disable |
| Microsoft Network Server Digitally Sign Communications Always | Enable |
| Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts | Enabled |
| Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares | Enabled |
| Network Access Restrict Anonymous Access To Named Pipes And Shares | Enable |
| Network Access Restrict Clients Allowed To Make Remote Calls To SAM | O:BAG:BAD:(A;;RC;;;BA) |
| Network Security Do Not Store LAN Manager Hash Value On Next Password Change | Enable |
| Network Security LAN Manager Authentication Level | Send NTLMv2 responses only. Refuse LM and NTLM |
| Network Security Minimum Session Security For NTLMSSP Based Clients | Require NTLM and 128-bit encryption |
| Network Security Minimum Session Security For NTLMSSP Based Servers | Require NTLM and 128-bit encryption |
| User Account Control Behavior Of The Elevation Prompt For Administrators | Prompt for consent on the secure desktop |
| User Account Control Behavior Of The Elevation Prompt For Standard Users | Prompt for credentials on the secure desktop |
| User Account Control Detect Application Installations And Prompt For Elevation | Enable |
| User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations | Enabled: Application runs with UIAccess integrity only if it resides in secure location. |
| User Account Control Run All Administrators In Admin Approval Mode | Enabled |
| User Account Control Switch To The Secure Desktop When Prompting For Elevation | Enabled |
| User Account Control Use Admin Approval Mode | Enable |
| User Account Control Virtualize File And Registry Write Failures To Per User Locations | Enabled |
Table 44a. Settings - Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.