Policy CSP - Sudo

EnableSudo

Scope	Editions	Applicable OS
✅ Device ❌ User	❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 11, version 24H2 [10.0.26100] and later

./Device/Vendor/MSFT/Policy/Config/Sudo/EnableSudo

This policy setting controls use of the sudo.exe command line tool.

• If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:

"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.

"Force new window": When sudo launches a command line application, it will launch that app in a new console window.

"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.

"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.

• If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).

Description framework properties:

Property name	Property value
Format	int
Access Type	Add, Delete, Get, Replace
Default Value	3

Allowed values:

Value	Description
0	Sudo is disabled.
1	Sudo is allowed in 'force new window' mode.
2	Sudo is allowed in 'disable input' mode.
3 (Default)	Sudo is allowed in 'inline' mode.

Group policy mapping:

Name	Value
Name	EnableSudo
Friendly Name	Configure the behavior of the sudo command
Location	Computer Configuration
Path	System
Registry Key Name	Software\Policies\Microsoft\Windows\Sudo
ADMX File Name	Sudo.admx

Related articles

Policy configuration service provider