| 1.1 (L1) Ensure 'Allow Cortana Above Lock' is set to 'Block' | CONFIGURATION MANAGEMENT |
| 4.1.3.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' | ACCESS CONTROL |
| 4.1.3.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' | ACCESS CONTROL |
| 4.4.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' | ACCESS CONTROL |
| 4.4.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' | CONFIGURATION MANAGEMENT |
| 4.4.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.4.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | SYSTEM AND INFORMATION INTEGRITY |
| 4.4.5 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.5.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.5.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | SYSTEM AND INFORMATION INTEGRITY |
| 4.5.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | ACCESS CONTROL |
| 4.5.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | AUDIT AND ACCOUNTABILITY |
| 4.6.4.1 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.6.9.1 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.6.9.2 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.6.9.3 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' | ACCESS CONTROL |
| 4.6.11.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication', 'Require Integrity', and 'Require Privacy' set for all NETLOGON and SYSVOL shares' | IDENTIFICATION AND AUTHENTICATION |
| 4.6.18.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.6.18.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.7.2 (L1) Ensure 'Configure Redirection Guard: Redirection Guard Options' is set to 'Enabled: Redirection Guard Enabled' | SYSTEM AND INFORMATION INTEGRITY |
| 4.7.3 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP' | CONFIGURATION MANAGEMENT |
| 4.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default' | CONFIGURATION MANAGEMENT |
| 4.7.5 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher | IDENTIFICATION AND AUTHENTICATION |
| 4.7.6 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP' | CONFIGURATION MANAGEMENT |
| 4.7.7 (L1) Ensure 'Configure RPC over TCP port: RPC over TCP port:' is set to 'Enabled: 0' | CONFIGURATION MANAGEMENT |
| 4.7.8 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' | SYSTEM AND INFORMATION INTEGRITY |
| 4.7.9 (L1) Ensure 'Manage processing of Queue-specific files: Manage processing of Queue-Specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles' | SYSTEM AND INFORMATION INTEGRITY |
| 4.7.10 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | ACCESS CONTROL |
| 4.7.11 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | CONFIGURATION MANAGEMENT |
| 4.9.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen (User)' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.4.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 4.10.5.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | SYSTEM AND INFORMATION INTEGRITY |
| 4.10.5.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | IDENTIFICATION AND AUTHENTICATION |
| 4.10.9.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 4.10.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' | SYSTEM AND INFORMATION INTEGRITY |
| 4.10.19.1 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.10.19.2 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.10.20.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.26.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.10.26.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' | ACCESS CONTROL |
| 4.10.26.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' | ACCESS CONTROL |
| 4.10.26.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' | ACCESS CONTROL |
| 4.10.26.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.26.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
