1.2.4 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
18.10.12.1 Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
18.10.12.3 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
18.10.13.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
18.10.14.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
18.10.14.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
18.10.14.3 Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
18.10.15.1 Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
18.10.15.3 Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
18.10.15.4 Ensure 'Do not show feedback notifications' is set to 'Enabled'
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
18.10.15.6 Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
18.10.15.7 Ensure 'Limit Dump Collection' is set to 'Enabled'
18.10.15.8 Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
18.10.16.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
18.10.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
18.10.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
18.10.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
18.10.29.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
18.10.29.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
18.10.29.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
18.10.3.2 Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'
18.10.33.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'
18.10.4.1 Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'
18.10.42.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
18.10.43.10.1 Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
18.10.43.10.2 Ensure 'Turn off real-time protection' is set to 'Disabled'
18.10.43.10.3 Ensure 'Turn on behavior monitoring' is set to 'Enabled'
18.10.43.10.4 Ensure 'Turn on script scanning' is set to 'Enabled'
18.10.43.13.1 Ensure 'Scan removable drives' is set to 'Enabled'
18.10.43.13.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled'
18.10.43.16 Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
18.10.43.17 Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'
18.10.43.5.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
18.10.43.6.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'
18.10.43.6.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
18.10.5.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
18.10.51.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
18.10.57.2.3 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
18.10.57.3.3.3 Ensure 'Do not allow drive redirection' is set to 'Enabled'
18.10.57.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
18.10.57.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
18.10.57.3.9.3 Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
18.10.57.3.9.4 Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
18.10.57.3.9.5 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
18.10.58.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
18.10.59.3 Ensure 'Allow Cortana' is set to 'Disabled'
18.10.59.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
18.10.59.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
18.10.59.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
18.10.66.2 Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'
18.10.66.3 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
18.10.66.4 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
18.10.7.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
18.10.7.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
18.10.7.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
18.10.72.1 Ensure 'Allow widgets' is set to 'Disabled'
18.10.76.3.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'
18.10.76.3.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'
18.10.78.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
18.10.8.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
18.10.80.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
18.10.81.1 Ensure 'Allow user control over installs' is set to 'Disabled'
18.10.81.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
18.10.82.2 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
18.10.87.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'
18.10.87.2 Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'
18.10.89.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
18.10.89.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
18.10.89.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
18.10.89.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
18.10.89.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
18.10.89.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'
18.10.9.1.11 Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'
18.10.9.1.12 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'
18.10.9.1.13 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'
18.10.9.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
18.10.9.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
18.10.9.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'
18.10.9.1.5 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'
18.10.9.1.6 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
18.10.9.1.7 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'
18.10.9.1.8 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
18.10.9.1.9 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
18.10.9.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
18.10.9.2.10 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
18.10.9.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'
18.10.9.2.12 Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
18.10.9.2.13 Ensure 'Require additional authentication at startup' is set to 'Enabled'
18.10.9.2.14 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
18.10.9.2.2 Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'
18.10.9.2.3 Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
18.10.9.2.4 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
18.10.9.2.5 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'
18.10.9.2.6 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
18.10.9.2.7 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
18.10.9.2.8 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
18.10.9.2.9 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
18.10.9.3.1 Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'
18.10.9.3.10 Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'
18.10.9.3.11 Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'
18.10.9.3.12 Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'
18.10.9.3.13 Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'
18.10.9.3.14 Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
18.10.9.3.15 Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
18.10.9.3.2 Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'
18.10.9.3.3 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
18.10.9.3.4 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'
18.10.9.3.5 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
18.10.9.3.6 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
18.10.9.3.7 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'
18.10.9.3.8 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'
18.10.9.3.9 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'
18.10.9.4 Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
18.10.91.1 Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
18.10.91.2 Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
18.10.92.2.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled'
18.10.93.1.1 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
18.10.93.2.1 Ensure 'Configure Automatic Updates' is set to 'Enabled'
18.10.93.2.3 Ensure 'Remove access to 'Pause updates' feature' is set to 'Enabled'
18.10.93.4.1 Ensure 'Manage preview builds' is set to 'Disabled'
18.3.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
18.3.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
18.3.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
18.3.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
18.3.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
18.4.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
18.4.3 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
18.4.4 Ensure 'Configure SMB v1 server' is set to 'Disabled'
18.4.5 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
18.4.6 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
18.4.7 Ensure 'WDigest Authentication' is set to 'Disabled'
18.5.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
18.5.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
18.5.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
18.5.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
18.5.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
18.5.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
18.5.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
18.5.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
18.6.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
18.6.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
18.6.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
18.6.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
18.6.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'
18.6.4.1 Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
18.6.4.3 Ensure 'Turn off multicast name resolution' is set to 'Enabled'
18.6.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'
18.7.1 Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
18.7.10 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
18.7.11 Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
18.7.8 Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
18.9.13.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
18.9.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
18.9.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
18.9.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled'
18.9.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
18.9.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
18.9.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
18.9.24.1 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
18.9.27.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
18.9.27.2 Ensure 'Do not display network selection UI' is set to 'Enabled'
18.9.27.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
18.9.27.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
18.9.27.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
18.9.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled'
18.9.27.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
18.9.3.1 Ensure 'Include command line in process creation events' is set to 'Enabled'
18.9.32.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
18.9.32.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
18.9.32.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
18.9.32.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
18.9.32.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
18.9.32.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
18.9.34.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
18.9.34.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
18.9.35.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
18.9.35.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
18.9.4.1 Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
18.9.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
18.9.7.1.1 Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'
18.9.7.1.2 Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'
18.9.7.1.3 Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)
18.9.7.1.4 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
18.9.7.1.5 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'
18.9.7.1.6 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
18.9.7.2 Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
19.7.25.1 Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'
19.7.40.1 Ensure 'Always install with elevated privileges' is set to 'Disabled'
19.7.7.1 Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
19.7.7.2 Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
19.7.7.5 Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
2.2.14 Configure 'Create symbolic links'
2.3.1.1 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
2.3.1.2 Ensure 'Accounts: Guest account status' is set to 'Disabled'
2.3.1.3 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
2.3.17.2 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher
Removed
1.2.4 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' - 15 or more minute(s)
18.10.12.1 Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' - Enabled
18.10.12.3 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' - Enabled
18.10.13.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' - Enabled: Always
18.10.14.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' - Enabled
18.10.14.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' - Disabled
18.10.14.3 Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' - Enabled
18.10.15.1 Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data' - Enabled: Send required diagnostic data
18.10.15.3 Ensure 'Disable OneSettings Downloads' is set to 'Enabled' - Enabled
18.10.15.4 Ensure 'Do not show feedback notifications' is set to 'Enabled' - Enabled
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - Enabled
18.10.15.6 Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' - Enabled
18.10.15.7 Ensure 'Limit Dump Collection' is set to 'Enabled' - Enabled
18.10.15.8 Ensure 'Toggle user control over Insider builds' is set to 'Disabled' - Disabled
18.10.16.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet' - Enabled: Internet
18.10.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' - Disabled
18.10.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
18.10.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' - Disabled
18.10.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' - Enabled: 196,608 or greater
18.10.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' - Disabled
18.10.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
18.10.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' - Disabled
18.10.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
18.10.29.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' - Disabled
18.10.29.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' - Disabled
18.10.29.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' - Disabled
18.10.3.2 Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' - Enabled
18.10.33.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' - Enabled
18.10.4.1 Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' - Enabled: Force Deny
18.10.42.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' - Enabled
18.10.43.10.1 Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' - Enabled
18.10.43.10.2 Ensure 'Turn off real-time protection' is set to 'Disabled' - Disabled
18.10.43.10.3 Ensure 'Turn on behavior monitoring' is set to 'Enabled' - Enabled
18.10.43.10.4 Ensure 'Turn on script scanning' is set to 'Enabled' - Enabled
18.10.43.13.1 Ensure 'Scan removable drives' is set to 'Enabled' - Enabled
18.10.43.13.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled' - Enabled
18.10.43.16 Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' - Enabled: Block
18.10.43.17 Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' - Disabled
18.10.43.5.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' - Disabled
18.10.43.6.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' - Enabled
18.10.43.6.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' - Enabled: Block
18.10.5.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' - Enabled
18.10.51.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' - Enabled
18.10.57.2.3 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' - Enabled
18.10.57.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' - Disabled
18.10.57.3.3.3 Ensure 'Do not allow drive redirection' is set to 'Enabled' - Enabled
18.10.57.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' - Enabled
18.10.57.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' - Enabled
18.10.57.3.9.3 Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' - Enabled: SSL
18.10.57.3.9.4 Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' - Enabled
18.10.57.3.9.5 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' - Enabled: High Level
18.10.58.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' - Enabled
18.10.59.3 Ensure 'Allow Cortana' is set to 'Disabled' - Disabled
18.10.59.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled' - Disabled
18.10.59.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled' - Disabled
18.10.59.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled' - Disabled
18.10.66.2 Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' - Enabled
18.10.66.3 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' - Disabled
18.10.66.4 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' - Enabled
18.10.7.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' - Enabled
18.10.7.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' - Enabled: Do not execute any autorun commands
18.10.7.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' - Enabled: All drives
18.10.72.1 Ensure 'Allow widgets' is set to 'Disabled' - Disabled
18.10.76.3.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' - Enabled
18.10.76.3.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' - Enabled
18.10.78.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' - Disabled
18.10.8.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' - Enabled
18.10.80.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled' - Enabled: On
18.10.81.1 Ensure 'Allow user control over installs' is set to 'Disabled' - Disabled
18.10.81.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' - Disabled
18.10.82.2 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' - Disabled
18.10.87.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' - Enabled
18.10.87.2 Ensure 'Turn on PowerShell Transcription' is set to 'Enabled' - Disabled
18.10.89.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
18.10.89.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
18.10.89.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' - Enabled
18.10.89.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
18.10.89.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
18.10.89.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' - Enabled
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled
18.10.9.1.11 Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' - Disabled
18.10.9.1.12 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' - Enabled
18.10.9.1.13 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' - Enabled: True
18.10.9.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' - Enabled
18.10.9.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' - Enabled: True
18.10.9.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' - Enabled: Allow 48-digit recovery password
18.10.9.1.5 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' - Enabled: Allow 256-bit recovery key
18.10.9.1.6 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' - Enabled: True
18.10.9.1.7 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' - Enabled: False
18.10.9.1.8 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' - Enabled: Backup recovery passwords and key packages
18.10.9.1.9 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' - Enabled: False
18.10.9.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' - Enabled
18.10.9.2.10 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' - Enabled: True
18.10.9.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled' - Disabled
18.10.9.2.12 Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' - Disabled
18.10.9.2.13 Ensure 'Require additional authentication at startup' is set to 'Enabled' - Enabled
18.10.9.2.14 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' - Enabled: False
18.10.9.2.2 Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' - Enabled
18.10.9.2.3 Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' - Enabled
18.10.9.2.4 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' - Enabled: False
18.10.9.2.5 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' - Enabled: Require 48-digit recovery password
18.10.9.2.6 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' - Enabled: Do not allow 256-bit recovery key
18.10.9.2.7 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' - Enabled: True
18.10.9.2.8 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' - Enabled: True
18.10.9.2.9 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' - Enabled: Store recovery passwords and key packages
18.10.9.3.1 Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' - Disabled
18.10.9.3.10 Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled' - Disabled
18.10.9.3.11 Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' - Disabled
18.10.9.3.12 Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' - Enabled
18.10.9.3.13 Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' - Enabled: True
18.10.9.3.14 Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' - Enabled
18.10.9.3.15 Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' - Enabled: False
18.10.9.3.2 Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' - Enabled
18.10.9.3.3 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' - Enabled: True
18.10.9.3.4 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' - Enabled: Do not allow 48-digit recovery password
18.10.9.3.5 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' - Enabled: Do not allow 256-bit recovery key
18.10.9.3.6 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' - Enabled: True
18.10.9.3.7 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' - Enabled: False
18.10.9.3.8 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' - Enabled: Backup recovery passwords and key packages
18.10.9.3.9 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' - Enabled: False
18.10.9.4 Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' - Enabled
18.10.91.1 Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' - Disabled
18.10.91.2 Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' - Disabled
18.10.92.2.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled' - Enabled
18.10.93.1.1 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' - Disabled
18.10.93.2.1 Ensure 'Configure Automatic Updates' is set to 'Enabled' - Enabled
18.10.93.2.3 Ensure 'Remove access to 'Pause updates' feature' is set to 'Enabled' - Enabled
18.10.93.4.1 Ensure 'Manage preview builds' is set to 'Disabled' - Disabled
18.3.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' - Enabled
18.3.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' - Enabled
18.3.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' - Enabled: Large letters + small letters + numbers + special characters
18.3.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' - Enabled: 15 or more
18.3.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' - Enabled: 30 or fewer
18.4.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' - Enabled
18.4.3 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' - Enabled: Disable driver (recommended)
18.4.4 Ensure 'Configure SMB v1 server' is set to 'Disabled' - Disabled
18.4.5 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' - Enabled
18.4.6 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' - Enabled: P-node (recommended)
18.4.7 Ensure 'WDigest Authentication' is set to 'Disabled' - Disabled
18.5.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' - Disabled
18.5.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' - Enabled: 5 or fewer seconds
18.5.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' - Enabled: 90% or less
18.5.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
18.5.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
18.5.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' - Disabled
18.5.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' - Enabled
18.5.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' - Enabled
18.6.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' - Enabled
18.6.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' - Enabled
18.6.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' - Enabled
18.6.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' - Enabled: 3 = Prevent Wi-Fi when on Ethernet
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' - Enabled
18.6.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' - Disabled
18.6.4.1 Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher - Enabled: Allow DoH or higher
18.6.4.3 Ensure 'Turn off multicast name resolution' is set to 'Enabled' - Enabled
18.6.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled' - Disabled
18.7.1 Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' - Disabled
18.7.10 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' - Enabled: Show warning and elevation prompt
18.7.11 Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' - Enabled: Show warning and elevation prompt
18.7.8 Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' - Enabled
18.9.13.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' - Enabled: Good, unknown and bad but critical
18.9.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' - Enabled: FALSE
18.9.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' - Enabled: TRUE
18.9.19.4 Ensure 'Continue experiences on this device' is set to 'Disabled' - Disabled
18.9.19.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' - Disabled
18.9.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' - Enabled
18.9.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' - Enabled
18.9.24.1 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' - Enabled: Block All
18.9.27.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' - Enabled
18.9.27.2 Ensure 'Do not display network selection UI' is set to 'Enabled' - Enabled
18.9.27.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' - Enabled
18.9.27.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' - Disabled
18.9.27.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' - Enabled
18.9.27.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' - Enabled
18.9.27.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' - Disabled
18.9.3.1 Ensure 'Include command line in process creation events' is set to 'Enabled' - Enabled
18.9.32.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' - Disabled
18.9.32.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' - Disabled
18.9.32.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' - Disabled
18.9.32.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' - Disabled
18.9.32.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' - Enabled
18.9.32.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' - Enabled
18.9.34.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' - Disabled
18.9.34.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' - Disabled
18.9.35.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' - Enabled
18.9.35.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' - Enabled: Authenticated
18.9.4.1 Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' - Enabled: Force Updated Clients
18.9.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' - Enabled
18.9.7.1.1 Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' - Enabled
18.9.7.1.2 Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' - PCI\CC_0C0A
18.9.7.1.3 Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) - True (checked)
18.9.7.1.4 Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' - Enabled
18.9.7.1.5 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' - IEEE 1394 device setup classes
18.9.7.1.6 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) - True (checked)
18.9.7.2 Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' - Enabled
19.7.25.1 Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' - Enabled
19.7.40.1 Ensure 'Always install with elevated privileges' is set to 'Disabled' - Disabled
19.7.7.1 Ensure 'Configure Windows spotlight on lock screen' is set to Disabled' - is set to Disabled
19.7.7.2 Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled' - Enabled
19.7.7.5 Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled' - Enabled
2.3.1.1 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' - t add or log on with Microsoft accounts
2.3.1.2 Ensure 'Accounts: Guest account status' is set to 'Disabled' - Disabled
2.3.1.3 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' - Enabled
2.3.17.2 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher - Prompt for consent on the secure desktop