Documentation is required to detail what permissions and settings are required for the Windows account that runs Alloy.

We don't have established documentation for this, in part as it depends on their configuration and what they are seeking to monitor. The following should be a reasonable list of permissions, but it's a mix of groups and general advice depending on the requirement.
As this isn't documented and thoroughly tested there may be iteration required.

• Alloy needs "Event Log Readers" group to use the windows event log components.
• Alloy needs "Performance Monitor Users" to use many of the features of the windows exporter.
• Alloy may need "Performance Log Users" for some features of the windows exporter
• If they want to use the process & services collectors of the windows exporter they'll need access to list all processes/services, I don't know off hand how to configure that without Local System.
• Alloy needs appropriate permissions to manage files in the Alloy Storage directory (default %PROGRAMDATA%\GrafanaLabs\Alloy\data).
• Depending on the components configured, Alloy may also require permissions to request/manage temporary directory files.
• Alloy needs appropriate permissions to read any on-disk log files for applications being monitored. This will require whatever groups define the ACL permissions to read the logs/directories.
• Alloy needs appropriate permissions & proxy configuration to access any network endpoints (prometheus scrape, grafana cloud write destinations, etc) used to collector & deliver telemetry
• Alloy needs access to the relevant registry values used to configure Alloy.
• Alloy needs permission to TCP listen on the configured UI port (default 12345)
• Alloy user requires the permission to 'run as a service'