Detections
Analytics

CIS Windows 8 L1 v1.0.0

Audit Details

Name: CIS Windows 8 L1 v1.0.0

Updated: 4/12/2023

Authority: CIS

Plugin: Windows

Revision: 1.58

Estimated Item Count: 399

File Details

Filename: CIS_MS_Windows_8_Level_1_v1.0.0.audit

Size: 546 kB

MD5: c1f6ee3d16b2aa22eefc5c84de974be7
SHA256: 31b1db777b3b3969294fa18a25acf2e698f74c2fa6738e182a6f484d5a536b71

Audit Changelog

Ā 
Revision 1.58

Apr 12, 2023

Functional Update
  • 1.1.1.4 Set 'Minimum password length' to '14 or more character(s)'
  • 1.1.1.5 Set 'Enforce password history' to '24 or more password(s)'
  • 1.1.1.8 Set 'Minimum password age' to '1 or more day(s)'
  • 1.1.1.9 Set 'Maximum password age' to '60 or fewer days'
Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • Variables updated.
Revision 1.57

Mar 8, 2023

Functional Update
  • 1.1.3.1.6 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
  • 1.1.5.1.6 Set 'Windows Firewall: Domain: Allow unicast response' to 'No'
  • 1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'
  • 1.2.4.2.1.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'
  • 1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'
  • 1.2.4.2.3.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
Miscellaneous
  • References updated.
Revision 1.56

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.55

Jan 4, 2023

Miscellaneous
  • Metadata updated.
Revision 1.54

Dec 7, 2022

Miscellaneous
  • Variables updated.
Revision 1.53

Oct 6, 2022

Functional Update
  • 1.1.2.44 Set 'Audit Policy: Logon-Logoff: Special Logon' to 'Success'
  • 1.1.2.55 Set 'Audit Policy: Policy Change: Authentication Policy Change' to 'Success'
  • 1.1.3.1.1 Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts'
  • 1.1.3.10.1 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'
  • 1.1.3.10.4 Configure 'Network access: Named Pipes that can be accessed anonymously'
  • 1.1.3.11.12 Set 'Network Security: Allow PKU2U authentication requeststo this computer to use online identities' to 'Disabled'
  • 1.1.3.12.1 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
  • 1.1.3.12.2 Set 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled'
  • 1.1.3.13.1 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled'
  • 1.1.3.13.2 Set 'Shutdown: Allow system to be shut down without having to log on' to 'Enabled'
  • 1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'
  • 1.1.3.14.2 Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled'
  • 1.1.3.15.1 Set 'System objects: Strengthen default permissions of internal system objects (e'g' Symbolic Links)' to 'Enabled'
  • 1.1.3.15.2 Set 'System objects: Require case insensitivity for nonWindows subsystems' to 'Enabled'
  • 1.1.3.17.8 Set 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' to 'Disabled'
  • 1.1.3.17.9 Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled'
  • 1.1.3.2.1 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'
  • 1.1.3.2.3 Configure Audit: Audit the use of Backup and Restore privilege
  • 1.1.3.2.4 Configure 'Audit: Audit the access of global system objects'
  • 1.1.3.4.2 Configure 'Devices: Restrict floppy access to locally logged-on user only'
  • 1.1.3.4.3 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'
  • 1.1.3.5.6 Set 'Domain member: Disable machine account password changes' to 'Disabled'
  • 1.1.3.6.3 Configure 'Interactive logon: Require smart card'
  • 1.1.3.6.4 Set 'Interactive logon: Do not display last user name' to 'Enabled'
  • 1.1.3.6.5 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '4 or fewer logon(s)'
  • 1.1.3.6.6 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Disabled'
  • 1.1.3.6.8 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'
  • 1.1.3.7.1 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'
  • 1.1.3.8.4 Set 'Microsoft network server: Server SPN target name validation level' to 'Accept if provided by client'
  • 1.1.3.9.13 Configure 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)'
  • 1.1.3.9.3 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'
  • 1.1.3.9.4 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '<= 0.9'
  • 1.1.3.9.9 Configure 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.'
  • 1.1.5.2.10 Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes'
  • 1.1.5.2.11 Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes'
  • 1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'
  • 1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'
  • 1.2.1.2 Configure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain
  • 1.2.1.3 Configure 'Prohibit connection to non-domain networks when connected to domain authenticated network'
  • 1.2.3.1.1 Configure 'Turn off access to the Store'
  • 1.2.3.1.7 Configure 'Turn off Event Viewer 'Events.asp' links'
  • 1.2.3.11 Set 'Select update server:' to 'Enabled:Search Managed Server'
  • 1.2.3.13 Set 'Prevent installation of devices using drivers that match these device setup classes' to 'Enabled'
  • 1.2.3.14 Set 'Also apply to matching devices that are already installed' to 'True'
  • 1.2.3.2.1 Set 'Turn on PIN sign-in' to 'Disabled'
  • 1.2.3.2.4 Set 'Do not enumerate connected users on domain-joined computers' to 'Enabled'
  • 1.2.3.2.5 Configure 'Turn off app notifications on the lock screen'
  • 1.2.3.2.6 Set 'Enumerate local users on domain-joined computers' to 'Disabled'
  • 1.2.3.4.1 Set 'Configure Solicited Remote Assistance' to 'Disabled'
  • 1.2.3.4.2 Set 'Configure Offer Remote Assistance' to 'Disabled'
  • 1.2.3.5 Set 'RPC Runtime Unauthenticated Client Restriction to Apply:' to 'Enabled:Authenticated'
  • 1.2.3.6 Set 'Enable RPC Endpoint Mapper Client Authentication' to 'Disabled'
  • 1.2.3.7 Set 'Do not apply during periodic background processing' to 'Enabled:FALSE'
  • 1.2.3.8 Set 'Process even if the Group Policy objects have not changed' to 'Enabled:TRUE'
  • 1.2.3.9 Set 'Choose the boot-start drivers that can be initialized:' to 'Enabled:Good, unknown and bad but critical'
  • 1.2.4.10 Configure 'Turn off the Store application'
  • 1.2.4.11 Set 'Always install with elevated privileges' to 'Disabled'
  • 1.2.4.14 Set 'Pick one of the following settings' to 'Enabled:Require approval from an administrator before running downloaded unknown'
  • 1.2.4.17 Configure 'Turn off location'
  • 1.2.4.19 Configure 'Turn off Windows Location Provider'
  • 1.2.4.2.1.1 Set 'Configure use of hardware-based encryption for fixed data drives' to 'Enabled'
  • 1.2.4.2.1.10 Set 'Choose how BitLocker-protected fixed drives can be recovered' to 'Enabled'
  • 1.2.4.2.1.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' to 'False'
  • 1.2.4.2.1.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'
  • 1.2.4.2.1.13 Set 'Save BitLocker recovery information to AD DS for fixed data drives' to 'False'
  • 1.2.4.2.1.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
  • 1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'
  • 1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'
  • 1.2.4.2.1.17 Configure 'Deny write access to fixed drives not protected by BitLocker'
  • 1.2.4.2.1.18 Set 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' to 'Disabled'
  • 1.2.4.2.1.3 Set 'Configure use of passwords for fixed data drives' to 'Disabled'
  • 1.2.4.2.1.4 Set 'Recovery Key' to 'Allow 256-bit recovery key'
  • 1.2.4.2.1.5 Set 'Recovery Password' to 'Allow 48-digit recovery password'
  • 1.2.4.2.1.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.1.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
  • 1.2.4.2.1.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
  • 1.2.4.2.1.9 Set 'Allow data recovery agent' to 'True'
  • 1.2.4.2.2.1 Set 'Configure use of hardware-based encryption for operating system drives' to 'Enabled'
  • 1.2.4.2.2.10 Set 'Choose how BitLocker-protected operating system drives can be recovered' to 'Enabled'
  • 1.2.4.2.2.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' to 'True'
  • 1.2.4.2.2.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Store recovery passwords and key packages'
  • 1.2.4.2.2.13 Set 'Save BitLocker recovery information to AD DS for operating system drives' to 'True'
  • 1.2.4.2.2.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
  • 1.2.4.2.2.15 Set 'Require additional authentication at startup' to 'Enabled'
  • 1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'
  • 1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'
  • 1.2.4.2.2.19 Set 'Configure TPM startup:' to 'Do not allow TPM'
  • 1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'
  • 1.2.4.2.2.21 Configure 'Use enhanced Boot Configuration Data validation profile'
  • 1.2.4.2.2.22 Configure 'Enable use of BitLocker authentication requiring preboot keyboard input on slates'
  • 1.2.4.2.2.23 Configure 'Configure TPM platform validation profile for BIOS-based firmware configurations'
  • 1.2.4.2.2.24 Configure 'Configure TPM platform validation profile for native UEFI firmware configurations'
  • 1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'
  • 1.2.4.2.2.26 Configure 'Disallow standard users from changing the PIN or password'
  • 1.2.4.2.2.27 Set 'Allow Secure Boot for integrity validation' to 'Enabled'
  • 1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'
  • 1.2.4.2.2.29 Configure 'Allow network unlock at startup'
  • 1.2.4.2.2.3 Set 'Configure use of passwords for operating system drives' to 'Disabled'
  • 1.2.4.2.2.30 Configure 'Reset platform validation data after BitLocker recovery'
  • 1.2.4.2.2.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'
  • 1.2.4.2.2.5 Set 'Recovery Password' to 'Require 48-digit recovery password'
  • 1.2.4.2.2.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.2.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
  • 1.2.4.2.2.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
  • 1.2.4.2.2.9 Set 'Allow data recovery agent' to 'False'
  • 1.2.4.2.3.1 Set 'Configure use of hardware-based encryption for removable data drives' to 'Enabled'
  • 1.2.4.2.3.10 Set 'Choose how BitLocker-protected removable drives can be recovered' to 'Enabled'
  • 1.2.4.2.3.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' to 'False'
  • 1.2.4.2.3.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'
  • 1.2.4.2.3.13 Set 'Save BitLocker recovery information to AD DS for removable data drives' to 'False'
  • 1.2.4.2.3.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
  • 1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'
  • 1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'
  • 1.2.4.2.3.17 Set 'Deny write access to removable drives not protected by BitLocker' to 'Enabled'
  • 1.2.4.2.3.18 Set 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' to 'Disabled'
  • 1.2.4.2.3.19 Configure 'Control use of BitLocker on removable drives'
  • 1.2.4.2.3.20 Set 'Do not allow write access to devices configured in another organization' to 'True'
  • 1.2.4.2.3.3 Set 'Configure use of passwords for removable data drives' to 'Disabled'
  • 1.2.4.2.3.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'
  • 1.2.4.2.3.5 Set 'Recovery Password' to 'Do not allow 48-digit recovery password'
  • 1.2.4.2.3.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.3.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
  • 1.2.4.2.3.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
  • 1.2.4.2.3.9 Set 'Allow data recovery agent' to 'True'
  • 1.2.4.2.5 Set 'Select the encryption method:' to 'Enabled:AES 256-bit'
  • 1.2.4.2.6 Configure 'Prevent memory overwrite on restart'
  • 1.2.4.6.3 Set 'Allow Basic authentication' to 'Disabled'
  • 1.2.4.6.5 Set 'Allow unencrypted traffic' to 'Disabled'
  • 1.2.4.7.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled'
  • 1.2.4.7.4 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'
  • 1.2.4.7.5 Set 'Configure Automatic Updates' to 'Enabled'
  • 1.2.4.7.7 Set 'Scheduled install day' to '0 - Every day'
  • 1.2.4.7.8 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'
  • 1.2.4.7.9 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'
  • 1.2.4.8 Configure 'Allow the use of biometrics'
  • 2.13 Configure 'Turn off toast notifications on the lock screen'
Informational Update
  • 1.2.4.2.1.1 Set 'Configure use of hardware-based encryption for fixed data drives' to 'Enabled'
  • 1.2.4.2.1.10 Set 'Choose how BitLocker-protected fixed drives can be recovered' to 'Enabled'
  • 1.2.4.2.1.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' to 'False'
  • 1.2.4.2.1.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'
  • 1.2.4.2.1.13 Set 'Save BitLocker recovery information to AD DS for fixed data drives' to 'False'
  • 1.2.4.2.1.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
  • 1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'
  • 1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'
  • 1.2.4.2.1.17 Configure 'Deny write access to fixed drives not protected by BitLocker'
  • 1.2.4.2.1.18 Set 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' to 'Disabled'
  • 1.2.4.2.1.3 Set 'Configure use of passwords for fixed data drives' to 'Disabled'
  • 1.2.4.2.1.4 Set 'Recovery Key' to 'Allow 256-bit recovery key'
  • 1.2.4.2.1.5 Set 'Recovery Password' to 'Allow 48-digit recovery password'
  • 1.2.4.2.1.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.1.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
  • 1.2.4.2.1.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
  • 1.2.4.2.1.9 Set 'Allow data recovery agent' to 'True'
  • 1.2.4.2.2.1 Set 'Configure use of hardware-based encryption for operating system drives' to 'Enabled'
  • 1.2.4.2.2.10 Set 'Choose how BitLocker-protected operating system drives can be recovered' to 'Enabled'
  • 1.2.4.2.2.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' to 'True'
  • 1.2.4.2.2.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Store recovery passwords and key packages'
  • 1.2.4.2.2.13 Set 'Save BitLocker recovery information to AD DS for operating system drives' to 'True'
  • 1.2.4.2.2.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
  • 1.2.4.2.2.15 Set 'Require additional authentication at startup' to 'Enabled'
  • 1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'
  • 1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'
  • 1.2.4.2.2.19 Set 'Configure TPM startup:' to 'Do not allow TPM'
  • 1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'
  • 1.2.4.2.2.21 Configure 'Use enhanced Boot Configuration Data validation profile'
  • 1.2.4.2.2.22 Configure 'Enable use of BitLocker authentication requiring preboot keyboard input on slates'
  • 1.2.4.2.2.23 Configure 'Configure TPM platform validation profile for BIOS-based firmware configurations'
  • 1.2.4.2.2.24 Configure 'Configure TPM platform validation profile for native UEFI firmware configurations'
  • 1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'
  • 1.2.4.2.2.26 Configure 'Disallow standard users from changing the PIN or password'
  • 1.2.4.2.2.27 Set 'Allow Secure Boot for integrity validation' to 'Enabled'
  • 1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'
  • 1.2.4.2.2.29 Configure 'Allow network unlock at startup'
  • 1.2.4.2.2.3 Set 'Configure use of passwords for operating system drives' to 'Disabled'
  • 1.2.4.2.2.30 Configure 'Reset platform validation data after BitLocker recovery'
  • 1.2.4.2.2.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'
  • 1.2.4.2.2.5 Set 'Recovery Password' to 'Require 48-digit recovery password'
  • 1.2.4.2.2.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.2.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
  • 1.2.4.2.2.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
  • 1.2.4.2.2.9 Set 'Allow data recovery agent' to 'False'
  • 1.2.4.2.3.1 Set 'Configure use of hardware-based encryption for removable data drives' to 'Enabled'
  • 1.2.4.2.3.10 Set 'Choose how BitLocker-protected removable drives can be recovered' to 'Enabled'
  • 1.2.4.2.3.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' to 'False'
  • 1.2.4.2.3.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'
  • 1.2.4.2.3.13 Set 'Save BitLocker recovery information to AD DS for removable data drives' to 'False'
  • 1.2.4.2.3.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
  • 1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'
  • 1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'
  • 1.2.4.2.3.17 Set 'Deny write access to removable drives not protected by BitLocker' to 'Enabled'
  • 1.2.4.2.3.18 Set 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' to 'Disabled'
  • 1.2.4.2.3.19 Configure 'Control use of BitLocker on removable drives'
  • 1.2.4.2.3.20 Set 'Do not allow write access to devices configured in another organization' to 'True'
  • 1.2.4.2.3.3 Set 'Configure use of passwords for removable data drives' to 'Disabled'
  • 1.2.4.2.3.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'
  • 1.2.4.2.3.5 Set 'Recovery Password' to 'Do not allow 48-digit recovery password'
  • 1.2.4.2.3.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
  • 1.2.4.2.3.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
  • 1.2.4.2.3.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
  • 1.2.4.2.3.9 Set 'Allow data recovery agent' to 'True'
  • 1.2.4.2.5 Set 'Select the encryption method:' to 'Enabled:AES 256-bit'
  • 1.2.4.2.6 Configure 'Prevent memory overwrite on restart'
Miscellaneous
  • References updated.
Removed
  • 1.1.5.1.10 Set 'Inbound Connections' to 'Enabled:Block (default)'
  • 1.2.4.2.2.17 Set 'Configure TPM startup key and PIN:' to 'Do not allow startup key and PIN with TPM'
  • 1.2.4.2.3.2 Configure 'Enforce drive encryption type on removable data drives'
  • 1.2.4.6.2 Set 'Allow Basic authentication' to 'Disabled'
  • BitLocker is not enabled.
Revision 1.52

Apr 25, 2022

Miscellaneous
  • Metadata updated.
Revision 1.51

Mar 29, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.50

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Added
  • 1.2.4.13 Configure 'Allow all trusted apps to install'
Removed
  • 1.2.4.13 Configure 'Allow all trusted apps to install'
Revision 1.49

Nov 17, 2020

Functional Update
  • 1.1.4.2 Set 'Deny log on through Remote Desktop Services' to 'Guests'
  • 1.1.4.21 Set 'Deny log on locally' to 'Guests'
  • 1.1.4.22 Set 'Profile system performance' to 'NT SERVICE\WdiServiceHost,Administrators'
  • 1.1.4.29 Set 'Deny log on as a batch job' to 'Guests'
  • 1.1.4.3 Set 'Deny access to this computer from the network' to 'Guests'
  • 1.1.4.33 Configure 'Deny log on as a service'