An error occurred:

Microsoft Windows 11 STIG Version Comparison

Microsoft Windows 11 Security Technical Implementation Guide

Comparison

There are 18 differences between versions v2 r4 (July 2, 2025) (the "left" version) and v2 r6 (Jan. 5, 2026) (the "right" version).

Check WN11-00-000126 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

Windows 11 systems must block consumer account user authentication.

Check Content

Verify the "block all consumer Microsoft account user authentication" is enabled. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftAccount Value Name: DisableUserAuth Value Type: REG_DWORD Value: 0x00000001 (1) If the registry value is not "1", this is a finding.

Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The Copilot Rewrite functionality within Notepad and Image Generation within Paint is dependent upon the use of AI credits from a Microsoft 365 Personal or Family subscription. Organizational users must not use personal accounts to login to applications on enterprise machines.

Fix

Configure the following Group Policy: Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Account "block all consumer Microsoft account user authentication" to "Enabled". For systems managed by Intune, apply the DOD Windows 11 STIG Settings Catalog (or equivalent Intune policy) found in the Intune policy package available on cyber.mil. Steps to create an Intune policy: 1. Sign in to the Intune admin center >> Devices >> Configuration >> Create >> New Policy. 2. Platform: Windows 10 and later. Profile type: Settings Catalog, then click "Create". 3. Basics: Provide a Name and Description of the profile, then click "Next". 4. Configuration settings: Click "+ Add settings" and search for consumer under the Settings picker. Under the Administrative Templates\Windows Components\Microsoft account category, check the box next to "Block all consumer Microsoft account user authentication". Click the Enabled radio button, then click "Next". 5. Scope tags: (optional), then click "Next". 6. Assignments: Assign the policy to Entra security groups that contain the target users or devices, then click "Next". 7. Review + create: Review the deployment summary, then click "Create".