Have you ensured that all your laptops, computers, servers, tablets, mobile devices and cloud services only contain necessary user accounts that are regularly used in the course of your business?
What this question is really asking
Confirm that auto-run and auto-play features are disabled on all devices. These features automatically execute software when removable media is connected — a classic malware delivery vector. Group Policy on Windows, MDM profiles on macOS and iOS, and equivalent controls on other platforms are the standard enforcement mechanisms.
What satisfies this requirement
Yes or NoRemove or disable all unneeded user accounts on all devices and cloud services, including guest accounts.
What to prepare before your assessor visit
This is typically managed through Group Policy on Windows or MDM profiles on managed devices. The key phrase assessors want to hear is 'technically enforced' — a policy document stating that auto-run must be disabled is not the same as a configuration that actually prevents it. Show the GPO setting or MDM profile entry and be ready to confirm it is applied to all in-scope devices.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.