| 1.1 (L1) Ensure 'Allow Cortana Above Lock' is set to 'Block' | CONFIGURATION MANAGEMENT |
| 3.1.3.1 (L1) Ensure 'Enable screen saver (User)' is set to 'Enabled' | ACCESS CONTROL |
| 3.1.3.2 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' | ACCESS CONTROL |
| 3.1.3.3 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' | ACCESS CONTROL |
| 3.4.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' | ACCESS CONTROL |
| 3.4.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' | CONFIGURATION MANAGEMENT |
| 3.4.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 3.4.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | SYSTEM AND INFORMATION INTEGRITY |
| 3.4.5 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.5.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.5.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | SYSTEM AND INFORMATION INTEGRITY |
| 3.5.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | ACCESS CONTROL |
| 3.5.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | AUDIT AND ACCOUNTABILITY |
| 3.6.4.1 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.6.9.1 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.6.9.2 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.6.9.3 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' | ACCESS CONTROL |
| 3.6.11.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' | IDENTIFICATION AND AUTHENTICATION |
| 3.6.18.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.6.18.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.19.1 (L1) Ensure 'Require PIN pairing' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.7.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | ACCESS CONTROL |
| 3.7.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | CONFIGURATION MANAGEMENT |
| 3.9.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen (User)' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.10.4.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 3.10.5.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | SYSTEM AND INFORMATION INTEGRITY |
| 3.10.5.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | IDENTIFICATION AND AUTHENTICATION |
| 3.10.9.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.10.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' | SYSTEM AND INFORMATION INTEGRITY |
| 3.10.19.1 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.10.19.2 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.10.19.3 (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.10.19.4 (L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.10.19.5 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 3.10.19.6 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.10.20.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.10.20.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.10.25.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.10.25.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' | ACCESS CONTROL |
| 3.10.25.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' | ACCESS CONTROL |
| 3.10.25.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' | ACCESS CONTROL |
| 3.10.25.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.10.25.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 3.10.25.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 3.10.28.5.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' | SYSTEM AND INFORMATION INTEGRITY |
