| 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled | CIS Microsoft 365 Foundations v5.0.0 L1 E5 | microsoft_azure | AUDIT AND ACCOUNTABILITY |
| Configure hash algorithms for certificate logon - Kerberos PKInitSHA512 | MSCT Windows Server 2025 MS v1.0.0 | Windows | |
| Control whether or not exclusions are visible to Local Admins | MSCT Windows Server 2025 MS v1.0.0 | Windows | |
| Create a token object | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Disallow Digest authentication - Client - AllowDigest | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Do not allow passwords to be saved - DisablePasswordSaving | MSCT Windows Server 2025 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Domain member: Digitally encrypt secure channel data (when possible) - sealsecurechannel | MSCT Windows Server 2025 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Don't run antimalware programs against ActiveX controls - Local Machine Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Download signed ActiveX controls - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Download unsigned ActiveX controls - Internet Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable Structured Exception Handling Overwrite Protection (SEHOP) - DisableExceptionChainValidation | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Impersonate a client after authentication | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Include local path when user is uploading files to a server - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Interactive logon: Machine inactivity limit - InactivityTimeoutSecs | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Internet Explorer Processes - FEATURE_MIME_SNIFFING - (Reserved) | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_MIME_SNIFFING - iexplore.exe | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_SECURITYBAND - explorer.exe | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_SECURITYBAND - iexplore.exe | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_WINDOW_RESTRICTIONS - explorer.exe | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Locked-Down Local Machine Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Locked-Down Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Microsoft network client: Send unencrypted password to third-party SMB servers - EnablePlainTextPassword | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Modify firmware environment values | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| MSS: (DisableIPSourceRouting IPv6) IP source routing protection level - DisableIPSourceRouting | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Navigate windows and frames across different domains - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network access: Restrict anonymous access to Named Pipes and Shares - RestrictNullSessAccess | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network security: Allow LocalSystem NULL session fallback - allownullsessionfallback | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network security: LAN Manager authentication level - LmCompatibilityLevel | MSCT Windows Server 2025 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Profile single process | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Remote host allows delegation of non-exportable credentials - AllowProtectedCreds | MSCT Windows Server 2025 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Run .NET Framework-reliant components not signed with Authenticode - Internet Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Run .NET Framework-reliant components signed with Authenticode - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Scripting of Java applets | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Select the channel for Microsoft Defender daily security intelligence updates | MSCT Windows Server 2025 MS v1.0.0 | Windows | |
| Show security warning for potentially unsafe files - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Specify the maximum log file size (KB) - Security | MSCT Windows Server 2025 MS v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Specify use of ActiveX Installer Service for installation of ActiveX controls | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| This security setting determines whether the builtin Administrator account is subject to account lockout policy - AllowAdministratorLockout | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Turn off the Security Settings Check feature | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn on Enhanced Protected Mode | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn on script scanning | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn on the auto-complete feature for user names and passwords on forms - FormSuggest PW Ask | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn On Virtualization Based Security - HypervisorEnforcedCodeIntegrity | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn On Virtualization Based Security - LsaCfgFlags | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Use Pop-up Blocker - Internet Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| User Account Control: Detect application installations and prompt for elevation - EnableInstallerDetection | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| User Account Control: Virtualize file and registry write failures to per-user locations - EnableVirtualization | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Web sites in less privileged Web content zones can navigate into this zone - Internet Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
| Web sites in less privileged Web content zones can navigate into this zone - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | ACCESS CONTROL |
