| 4.5.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)' is set to 'Enabled' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.5.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.5.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.5.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.6.8.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.6.8.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.6.17.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.6.17.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.3 (L2) Ensure 'Turn off Help Experience Improvement Program (User)' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.6 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.7 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.9 (L2) Ensure 'Turn off the 'Order Prints' picture task' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.10 (L2) Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.20.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.10.23.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 4.10.25.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' | ACCESS CONTROL |
| 4.10.40.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.11.3.2 (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.11.28.3.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.11.28.10.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' | SECURITY ASSESSMENT AND AUTHORIZATION |
| 4.11.35.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.11.36.4.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.11.36.4.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.11.36.4.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.11.36.4.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.11.36.4.3.5 (L2) Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client' | CONFIGURATION MANAGEMENT |
| 4.11.36.4.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | ACCESS CONTROL |
| 4.11.36.4.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | ACCESS CONTROL |
| 4.11.42.2 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' | CONFIGURATION MANAGEMENT |
| 4.11.49.1 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.11.52.2.1 (L2) Ensure 'Prevent Codec Download (User)' is set to 'Enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11.54.1 (L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 4.11.54.2 (L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 4.11.55.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 4.11.56.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' | CONFIGURATION MANAGEMENT |
| 12.1 (L2) Ensure 'Allow Camera' is set to 'Not allowed' | CONFIGURATION MANAGEMENT |
| 22.24 (L2) Ensure 'Enable Convert Warn To Block' is set to 'Warn verdicts are converted to block' | SYSTEM AND INFORMATION INTEGRITY |
| 22.25 (L2) Ensure 'Enable File Hash Computation' is set to 'Enable' | SYSTEM AND INFORMATION INTEGRITY |
| 22.31 (L2) Ensure 'Remote Encryption Protection Aggressiveness' is set to 'Medium' or higher | SYSTEM AND INFORMATION INTEGRITY |
| 34.3 (L2) Ensure 'Allow Windows Spotlight (User)' is set to 'Block' | CONFIGURATION MANAGEMENT |
| 47.1 (L2) Ensure 'Disallow KMS Client Online AVS Validation' is set to 'Allow' | CONFIGURATION MANAGEMENT |
| 49.5 (L2) Ensure 'Devices: Prevent users from installing printer drivers when connecting to shared printers' is set to 'Enable' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 54.1 (L2) Ensure 'Allow Message Sync' is set to 'message sync is not allowed and cannot be changed by the user.' | CONFIGURATION MANAGEMENT |
| 55.3 (L2) Ensure 'Allow Shared User App Data' is set to 'Block' | ACCESS CONTROL |
