| 4.10.9.1.1 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' | MEDIA PROTECTION |
| 4.10.9.1.2 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) | SYSTEM AND INFORMATION INTEGRITY |
| 4.10.9.1.3 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' | SYSTEM AND INFORMATION INTEGRITY |
| 4.11.7.1.1 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.1 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.2 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.2.9 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | ACCESS CONTROL |
| 4.11.7.2.10 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM' | ACCESS CONTROL |
| 4.11.7.2.11 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM' | ACCESS CONTROL |
| 4.11.7.2.12 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM' | IDENTIFICATION AND AUTHENTICATION |
| 4.11.7.2.13 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM' | ACCESS CONTROL |
| 4.11.7.2.14 (BL) Ensure 'Enforce drive encryption type on operating system drives: Select the encryption type: (Device)' is set to 'Enabled: Used Space Only encryption' or 'Enabled: Full encryption' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.3.1 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' | MEDIA PROTECTION |
| 4.11.7.3.2 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' | MEDIA PROTECTION |
| 4.11.7.4 (BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for fixed data drives' is set to 'XTS-AES 128-bit (default)' or 'XTS-AES 256-bit' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.5 (BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for operating system drives' is set to 'XTS-AES 128-bit (default)' or 'XTS-AES 256-bit' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.7.6 (BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for removable data drives' is set to 'XTS-AES 128-bit' or higher | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1 (BL) Ensure 'Require Device Encryption' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.2 (BL) Ensure 'Allow Warning For Other Disk Encryption' is set to 'Disabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3 (BL) Ensure 'Allow Warning For Other Disk Encryption: Allow Standard User Encryption' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 28.1 (BL) Ensure 'Device Enumeration Policy' is set to 'Block all (most restrictive)' | CONFIGURATION MANAGEMENT |
| CIS_Microsoft_Intune_for_Windows_11_v4.0.0_BL.audit from CIS Microsoft Intune for Windows 11 Benchmark v4.0.0 | |
