CIS Microsoft Windows 11 Enterprise v1.0.0 BL

Audit Details

Name: CIS Microsoft Windows 11 Enterprise v1.0.0 BL

Updated: 4/25/2022

Authority: CIS

Plugin: Windows

Revision: 1.1

Estimated Item Count: 54

File Details

Filename: CIS_MS_Windows_11_Enterprise_Bitlocker_v1.0.0.audit

Size: 155 kB

MD5: 0b856a27af8e63a9d094ddddf5a8ab55
SHA256: f781ad4d3d8fcb766997911904758e8997126f0fedb040fcf1ae0efe2995dca2

Audit Items

DescriptionCategories
2.3.7.3 Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'

ACCESS CONTROL

18.8.7.1.1 Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.8.7.1.2 Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'

CONFIGURATION MANAGEMENT

18.8.7.1.3 Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)

CONFIGURATION MANAGEMENT

18.8.7.1.4 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.8.7.1.5 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'

CONFIGURATION MANAGEMENT

18.8.7.1.6 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)

CONFIGURATION MANAGEMENT

18.8.26.1 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

18.8.34.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

18.8.34.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

18.9.11.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'

RISK ASSESSMENT

18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'

RISK ASSESSMENT

18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'

RISK ASSESSMENT

18.9.11.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'

RISK ASSESSMENT

18.9.11.1.5 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'

RISK ASSESSMENT

18.9.11.1.6 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'

RISK ASSESSMENT

18.9.11.1.7 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'

RISK ASSESSMENT

18.9.11.1.8 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'

RISK ASSESSMENT

18.9.11.1.9 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'

RISK ASSESSMENT

18.9.11.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'

RISK ASSESSMENT

18.9.11.1.11 Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.1.13 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'

IDENTIFICATION AND AUTHENTICATION

18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.2.2 Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'

CONFIGURATION MANAGEMENT

18.9.11.2.3 Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'

RISK ASSESSMENT

18.9.11.2.4 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'

RISK ASSESSMENT

18.9.11.2.5 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'

RISK ASSESSMENT

18.9.11.2.6 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'

RISK ASSESSMENT

18.9.11.2.7 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'

RISK ASSESSMENT

18.9.11.2.8 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'

RISK ASSESSMENT

18.9.11.2.9 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'

RISK ASSESSMENT

18.9.11.2.10 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'

RISK ASSESSMENT

18.9.11.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'

RISK ASSESSMENT

18.9.11.2.12 Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.2.13 Ensure 'Require additional authentication at startup' is set to 'Enabled'

RISK ASSESSMENT

18.9.11.2.14 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'

RISK ASSESSMENT

18.9.11.3.1 Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'

RISK ASSESSMENT

18.9.11.3.2 Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.3 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.4 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.5 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.6 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.7 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.8 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.9 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.10 Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.11 Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.12 Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

18.9.11.3.13 Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'

IDENTIFICATION AND AUTHENTICATION