Policy CSP - Sudo

EnableSudo

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 24H2 [10.0.26100] and later
./Device/Vendor/MSFT/Policy/Config/Sudo/EnableSudo

This policy setting controls use of the sudo.exe command line tool.

  • If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:

"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.

"Force new window": When sudo launches a command line application, it will launch that app in a new console window.

"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.

"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.

  • If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 3

Allowed values:

Value Description
0 Sudo is disabled.
1 Sudo is allowed in 'force new window' mode.
2 Sudo is allowed in 'disable input' mode.
3 (Default) Sudo is allowed in 'inline' mode.

Group policy mapping:

Name Value
Name EnableSudo
Friendly Name Configure the behavior of the sudo command
Location Computer Configuration
Path System
Registry Key Name Software\Policies\Microsoft\Windows\Sudo
ADMX File Name Sudo.admx

Policy configuration service provider