| Configure Attack Surface Reduction rules - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Configure Attack Surface Reduction rules - ExploitGuard_ASR_Rules | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Configure Windows Defender SmartScreen - EnableSmartScreen | MSCT Windows Server v20H2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Configure Windows Defender SmartScreen - ShellSmartScreenLevel | MSCT Windows Server v20H2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Create a token object | MSCT Windows Server v20H2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Don't run antimalware programs against ActiveX controls - Trusted Sites Zone | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable dragging of content from different domains across windows - Restricted Sites Zone | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable dragging of content from different domains within a window - Internet Zone | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Extended Protection for LDAP Authentication (Domain Controllers only) (DEPRECATED) | MSCT Windows Server v20H2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Hardened UNC Paths - \\*\NETLOGON | MSCT Windows Server v20H2 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Impersonate a client after authentication | MSCT Windows Server v20H2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Internet Explorer Processes - FEATURE_MIME_HANDLING - explorer.exe | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_RESTRICT_ACTIVEXINSTALL - iexplore.exe | MSCT Windows Server v20H2 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_RESTRICT_FILEDOWNLOAD - (Reserved) | MSCT Windows Server v20H2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_RESTRICT_FILEDOWNLOAD - explorer.exe | MSCT Windows Server v20H2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_WINDOW_RESTRICTIONS - explorer.exe | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_WINDOW_RESTRICTIONS - iexplore.exe | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Intranet Zone | MSCT Windows Server v20H2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Local Machine Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Locked-Down Trusted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Locked-Down Trusted Sites Zone | MSCT Windows Server v20H2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Launching applications and files in an IFRAME - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Network access: Do not allow anonymous enumeration of SAM accounts - RestrictAnonymousSAM | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Network security: Allow LocalSystem NULL session fallback - allownullsessionfallback | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Password must meet complexity requirements | MSCT Windows Server 2025 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Prevent ignoring certificate errors | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Prevent per-user installation of ActiveX controls | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Remove 'Run this time' button for outdated ActiveX controls in Internet Explorer | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Run .NET Framework-reliant components not signed with Authenticode - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Scan all downloaded files and attachments | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Scripting of Java applets | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Select the channel for Microsoft Defender monthly platform updates | MSCT Windows Server 2025 DC v1.0.0 | Windows | |
| Set client connection encryption level - MinEncryptionLevel | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Specify use of ActiveX Installer Service for installation of ActiveX controls | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) - ProtectionMode | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn off multicast name resolution - EnableMulticast | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn off the Security Settings Check feature | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn on behavior monitoring | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn on Cross-Site Scripting Filter - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn on PowerShell Script Block Logging - EnableScriptBlockInvocationLogging | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Turn On Virtualization Based Security - EnableVirtualizationBasedSecurity | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn On Virtualization Based Security - HypervisorEnforcedCodeIntegrity | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn On Virtualization Based Security - LsaCfgFlags | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Use Pop-up Blocker - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Use Pop-up Blocker - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| User Account Control: Run all administrators in Admin Approval Mode - EnableLUA | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Userdata persistence - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Userdata persistence - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Web sites in less privileged Web content zones can navigate into this zone - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
