| 2.2.29 (L1) Configure 'Log on as a service' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.29 (L2) Ensure 'Log on as a service' is configured | CIS Microsoft Windows 10 Enterprise v4.0.0 L2 BL NG | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.29 (L2) Ensure 'Log on as a service' is configured | CIS Microsoft Windows 11 Enterprise v4.0.0 L2 BitLocker | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.29 (L2) Ensure 'Log on as a service' is configured | CIS Microsoft Windows 11 Stand-alone v4.0.0 L2 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 18.10.35.1 (L1) Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.35.1 (L1) Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.35.1 (L1) Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 NG | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| ALMA-09-056230 - AlmaLinux OS 9 audit tools must be group-owned by root. | DISA CloudLinux AlmaLinux OS 9 STIG v1r2 | Unix | AUDIT AND ACCOUNTABILITY |
| GOOG-10-000400 - Google Android 10 must be configured to lock the display after 15 minutes (or less) of inactivity. | MobileIron - DISA Google Android 10.x v2r1 | MDM | ACCESS CONTROL |
| Hardened UNC Paths - \\*\SYSVOL | MSCT Windows Server 2016 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Include local path when user is uploading files to a server - Restricted Sites Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Initialize and script ActiveX controls not marked as safe - Restricted Sites Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Initialize and script ActiveX controls not marked as safe - Trusted Sites Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Interactive logon: Machine account lockout threshold | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Internet Explorer Processes - FEATURE_RESTRICT_FILEDOWNLOAD - (Reserved) | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_SECURITYBAND - (Reserved) | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_SECURITYBAND - iexplore.exe | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Internet Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Java permissions - Local Machine Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Join Microsoft MAPS | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Load and unload device drivers | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Microsoft network client: Send unencrypted password to third-party SMB servers - EnablePlainTextPassword | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Microsoft network server: Digitally sign communications (if client agrees) | MSCT Windows Server 2016 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Minimum password age | MSCT Windows Server 2016 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Network access: Let Everyone permissions apply to anonymous users | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network access: Restrict clients allowed to make remote calls to SAM | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network security: Force logoff when logon hours expire | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Network security: LAN Manager authentication level | MSCT Windows Server 2016 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Perform volume maintenance tasks | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Run .NET Framework-reliant components not signed with Authenticode - Internet Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Scan removable drives | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Security Zones: Do not allow users to change policies | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Security Zones: Use only machine settings | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Send file samples when further analysis is required | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Sign-in last interactive user automatically after a system-initiated restart | MSCT Windows Server 2016 MS v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Specify the maximum log file size (KB) - Security | MSCT Windows Server 2016 MS v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn off Autoplay | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn off blocking of outdated ActiveX controls for Internet Explorer | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn on Cross-Site Scripting Filter - Restricted Sites Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn on Enhanced Protected Mode | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn on PowerShell Script Block Logging - EnableScriptBlockInvocationLogging | MSCT Windows Server 2016 MS v1.0.0 | Windows | ACCESS CONTROL |
| Turn on Protected Mode - Restricted Sites Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Turn on the auto-complete feature for user names and passwords on forms - FormSuggest PW Ask | MSCT Windows Server 2016 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Turn On Virtualization Based Security - EnableVirtualizationBasedSecurity | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Userdata persistence - Restricted Sites Zone | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDigest Authentication | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Windows Firewall: Protect all network connections | MSCT Windows Server 2016 MS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| ZEBR-10-000400 - Zebra Android 10 must be configured to lock the display after 15 minutes (or less) of inactivity. | MobileIron - DISA Zebra Android 10 COBO v1r2 | MDM | ACCESS CONTROL |
