| 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success' | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.10.15.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled' | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.25.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| Configure hash algorithms for certificate logon - Kerberos PKInitSHA512 | MSCT Windows Server 2025 DC v1.0.0 | Windows | |
| Configure real-time protection and Security Intelligence Updates during OOBE | MSCT Windows Server 2025 DC v1.0.0 | Windows | |
| Configure registry policy processing - NoBackgroundPolicy | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Control whether exclusions are visible to local users | MSCT Windows Server 2025 DC v1.0.0 | Windows | |
| Debug programs | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Don't run antimalware programs against ActiveX controls - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Don't run antimalware programs against ActiveX controls - Local Machine Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Don't run antimalware programs against ActiveX controls - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Download unsigned ActiveX controls - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Download unsigned ActiveX controls - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable computer and user accounts to be trusted for delegation | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Enable dragging of content from different domains across windows - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable dragging of content from different domains within a window - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable dragging of content from different domains within a window - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable Structured Exception Handling Overwrite Protection (SEHOP) - DisableExceptionChainValidation | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Extended Protection for LDAP Authentication (Domain Controllers only) (DEPRECATED) | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Force shutdown from a remote system | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Initialize and script ActiveX controls not marked as safe - Trusted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Interactive logon: Machine inactivity limit - InactivityTimeoutSecs | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Interactive logon: Smart card removal behavior - ScRemoveOption | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Internet Explorer Processes - FEATURE_MIME_HANDLING - explorer.exe | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_RESTRICT_ACTIVEXINSTALL - iexplore.exe | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_SECURITYBAND - explorer.exe | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_WINDOW_RESTRICTIONS - (Reserved) | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_ZONE_ELEVATION - (Reserved) | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Join Microsoft MAPS | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Mandate the minimum version of SMB - MinSmb2Dialect | MSCT Windows Server 2025 DC v1.0.0 | Windows | |
| Microsoft network client: Digitally sign communications (always) - RequireSecuritySignature | MSCT Windows Server 2025 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Network access: Do not allow anonymous enumeration of SAM accounts and shares - RestrictAnonymous | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Prevent bypassing SmartScreen Filter warnings | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Prevent enabling lock screen camera - NoLockScreenCamera | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Require secure RPC communication - fEncryptRPCTraffic | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Reset account lockout counter after | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Run .NET Framework-reliant components not signed with Authenticode - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Run .NET Framework-reliant components signed with Authenticode - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Scan excluded files and directories during quick scans | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Select the channel for Microsoft Defender daily security intelligence updates | MSCT Windows Server 2025 DC v1.0.0 | Windows | |
| Show security warning for potentially unsafe files - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Sign-in and lock last interactive user automatically after a restart - DisableAutomaticRestartSignOn | MSCT Windows Server 2025 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Take ownership of files or other objects | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Turn off Autoplay - NoDriveTypeAutoRun | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn on Protected Mode - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn on SmartScreen Filter scan - Locked-Down Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn on SmartScreen Filter scan - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
