| Act as part of the operating system | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Allow active scripting | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Allow cut, copy or paste operations from the clipboard via script - Restricted Sites Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use ActiveX controls without prompt - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Allow unencrypted traffic - Service - AllowUnencryptedTraffic | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Allow user control over installs | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Audit Authentication Policy Change | MSCT Windows Server v20H2 MS v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Other Logon/Logoff Events | MSCT Windows Server v20H2 MS v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Automatic prompting for file downloads - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Configure Attack Surface Reduction rules - 5beb7efe-fd9a-4556-801d-275e5ffc04cc | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Configure Attack Surface Reduction rules - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Configure enhanced anti-spoofing | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Configure SMB v1 server | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Create permanent shared objects | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Domain member: Digitally sign secure channel data (when possible) | MSCT Windows Server v20H2 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Don't run antimalware programs against ActiveX controls - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Download signed ActiveX controls - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable computer and user accounts to be trusted for delegation | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Enable local admin password management | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Enable Structured Exception Handling Overwrite Protection (SEHOP) | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Encryption Oracle Remediation | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enumeration policy for external devices incompatible with Kernel DMA Protection | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Include local path when user is uploading files to a server - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Interactive logon: Smart card removal behavior | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Internet Explorer Processes - FEATURE_RESTRICT_ACTIVEXINSTALL - explorer.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_RESTRICT_ACTIVEXINSTALL - iexplore.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_RESTRICT_FILEDOWNLOAD - explorer.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_RESTRICT_FILEDOWNLOAD - iexplore.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_SECURITYBAND - explorer.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_SECURITYBAND - iexplore.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_ZONE_ELEVATION - explorer.exe | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Java permissions - Locked-Down Intranet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Lock pages in memory | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Logon options - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Manage auditing and security log | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Navigate windows and frames across different domains - Restricted Sites Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| NetBT NodeType configuration | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Network access: Allow anonymous SID/Name translation | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network access: Restrict clients allowed to make remote calls to SAM | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Prevent per-user installation of ActiveX controls | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Relax minimum password length limits | MSCT Windows Server v20H2 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Reset account lockout counter after | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Run .NET Framework-reliant components not signed with Authenticode - Restricted Sites Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Show security warning for potentially unsafe files - Internet Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Show security warning for potentially unsafe files - Restricted Sites Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
