-
Notifications
You must be signed in to change notification settings - Fork 0
/
cis_include_rules.txt
469 lines (466 loc) · 47 KB
/
cis_include_rules.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
# This file lists the title of rules applied by the registry resource
# Note that additional rules are applied by Local Security Policy and Audit Policy resources
# Windows 11 v3.0.0
#Create cis_include_rules array in notepad++
#1. Paste in all hiera rules
#2. Mark valid lines with '^ "\(' search
#3. Search/bookmark/remove unbookmarked lines
#4. Replace '^ "' with ' - "'
#5. Replace '":$' with '"'
#6. Prepend the file
cis_security_hardening_windows::cis_include_rules:
- "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'"
- "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'"
- "(L1) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'"
- "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'"
- "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'"
- "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'"
- "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'"
- "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'"
- "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'"
- "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'"
- "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'"
- "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'"
- "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'"
- "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration is set' to 'between 5 and 14 days'"
- "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation or higher'"
- "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'"
- "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'"
- "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'"
- "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'"
- "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'"
- "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'"
- "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'"
- "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher"
- "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'"
- "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'"
- "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'"
- "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'"
- "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'"
- "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'"
- "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured"
- "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'"
- "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'"
- "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'"
- "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'"
- "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'"
- "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'"
- "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'"
- "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
- "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
- "(L1) Ensure 'Network security: LAN Manager authentication level' is set to Send NTLMv2 response only. Refuse LM & NTLM'"
- "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing or higher'"
- "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'"
- "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'"
- "(L1) Ensure 'System objects: Require case insensitivity for nonWindows subsystems' is set to 'Enabled'"
- "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'"
- "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'"
- "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'"
- "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'"
- "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'"
- "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'"
- "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'"
- "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'"
- "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'"
- "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'"
- "(L1) Ensure 'LxssManager (LxssManager) is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'"
- "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'"
- "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'"
- "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'"
- "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled'"
- "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'"
- "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'"
- "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'"
- "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'"
- "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'"
- "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'"
- "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'"
- "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
- "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'"
- "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
- "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
- "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
- "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'"
- "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'"
- "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'"
- "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'"
- "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
- "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'"
- "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'"
- "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'"
- "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'"
- "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'"
- "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
- "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'"
- "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'"
- "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
- "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'"
- "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'"
- "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'"
- "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'"
- "(L1) Ensure 'Allow users to enable online speech recognition services is set to 'Disabled'"
- "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'"
- "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'"
- "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'"
- "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'"
- "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'"
- "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node'"
- "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'"
- "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'"
- "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'"
- "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'"
- "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'"
- "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'"
- "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode is set to 'Enabled'"
- "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'"
- "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning is set' to 'Enabled: 90% or less'"
- "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'"
- "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'"
- "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'"
- "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'"
- "(L1) Ensure 'Require domain users to elevate when setting a networks location' is set to 'Enabled'"
- "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'"
- "(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'"
- "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'"
- "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'"
- "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'"
- "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'"
- "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'"
- "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'"
- "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
- "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
- "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'"
- "(L1) Ensure 'Turn off background refresh of Group Policy is set' to 'Disabled'"
- "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'"
- "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'"
- "(L1) Ensure 'Block user from showing account details on signin' is set to 'Enabled'"
- "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'"
- "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'"
- "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'"
- "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'"
- "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'"
- "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'"
- "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'"
- "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'"
- "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'"
- "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'"
- "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'"
- "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'"
- "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'"
- "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'"
- "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
- "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'"
- "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'"
- "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'"
- "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'"
- "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'"
- "(L1) Ensure 'Require pin for pairing' is set to 'Enabled'"
- "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'"
- "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'"
- "(L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'"
- "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'"
- "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'"
- "(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'"
- "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
- "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
- "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
- "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'"
- "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
- "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
- "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
- "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
- "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'"
- "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'"
- "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'"
- "(L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'"
- "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'"
- "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS is set to 'Disabled'"
- "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'"
- "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'"
- "(L1) Ensure 'Scan removable drives' is set to 'Enabled'"
- "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'"
- "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'"
- "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'"
- "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'"
- "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'"
- "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'"
- "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'"
- "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'"
- "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'"
- "(L1) Ensure 'Allow Cortana' is set to 'Disabled'"
- "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'"
- "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'"
- "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'"
- "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'"
- "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled"
- "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'"
- "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'"
- "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled but not Enabled: On'"
- "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'"
- "(L1) Ensure 'Always install with elevated privileges is set to 'Disabled'"
- "(L1) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'"
- "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'"
- "(L1) WinRM Client: Ensure 'Allow Basic authentication' is set to 'Disabled'"
- "(L1) WinRM Client: Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
- "(L1) WinRM Client: Ensure 'Disallow Digest authentication' is set to 'Enabled'"
- "(L1) WinRM Service: Ensure 'Allow Basic authentication' is set to 'Disabled'"
- "(L1) WinRM Service: Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
- "(L1) WinRM Service: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'"
- "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'"
- "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'"
- "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'"
- "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'"
- "(L1) Ensure 'Manage preview builds' is set to 'Disabled'"
- "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more'"
- "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'"
- "(L1) Ensure 'Allow auditing events in Microsoft Defender Application Guard is set to 'Enabled'"
- "(L1) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'"
- "(L1) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'"
- "(L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled'"
- "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'"
- "(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'"
- "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'"
- "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'"
- "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Configure Attack Surface Reduction rules is set to 'Enabled'"
- "(L1) Ensure 'ASR - Block Office communication application from creating child processes' is configured"
- "(L1) Ensure 'ASR - Block Office applications from creating executable content' is configured"
- "(L1) Ensure 'ASR - Block execution of potentially obfuscated scripts' is configured"
- "(L1) Ensure 'ASR - Block Office applications from injecting code into other processes' is configured"
- "(L1) Ensure 'ASR - Block Adobe Reader from creating child processes' is configured"
- "(L1) Ensure 'ASR - Block Win32 API calls from Office macro' is configured"
- "(L1) Ensure 'ASR - Block credential stealing from the Windows local security authority subsystem (lsass.exe)' is configured"
- "(L1) Ensure 'ASR - Block untrusted and unsigned processes that run from USB' is configured"
- "(L1) Ensure 'ASR - Block executable content from email client and webmail' is configured"
- "(L1) Ensure 'ASR - Block JavaScript or VBScript from launching downloaded executable content' is configured"
- "(L1) Ensure 'ASR - Block Office applications from creating child processes' is configured"
- "(L1) Allow files to download and save to the host operating system from Microsoft Defender Application Guard"
- "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'"
- "(L1) Ensure 'Remove access to 'Pause updates' feature is set to 'Enabled'"
- "(L1) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'"
- "(L1) Ensure 'Allow camera and microphone access in Windows Defender Application Guard'"
- "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'"
- "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'"
- "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' (ie can be above legacy limit of 14)"
- "(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'"
- "(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'"
- "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'"
- "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'"
- "(L1) ASR - Block persistence through WMI event subscription"
- "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'"
- "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'"
- "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'"
- "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'"
- "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'"
- "(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher"
- "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'"
- "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'"
- "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'"
- "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'"
- "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'"
- "(L1) Ensure 'Allow widgets' is set to 'Disabled'"
- "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'"
- "(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'"
- "(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'"
- "(L1) Ensure 'Enable App Installer' is set to 'Disabled'"
- "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'"
- "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'"
- "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'"
- "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'"
- "(L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'"
- "(L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'"
- "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'"
- "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP"
- "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'"
- "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'"
- "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher"
- "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'"
- "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'"
- "(L1) Ensure 'ASR - Block abuse of exploited vulnerable signed drivers' is configured"
- "(L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'"
- "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'"
- "(L1) Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'"
- "(L1) Ensure 'Notify Malicious' is set to 'Enabled'"
- "(L1) Ensure 'Notify Password Reuse' is set to'Enabled'"
- "(L1) Ensure 'Notify Unsafe App' is set to 'Enabled'"
- "(L1) Ensure 'Service Enabled' is set to 'Enabled'"
- "(L1) Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'"
- "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'"
- "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled'"
- "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled' (this is missing 'enabled' from key in CIS doc)"
- "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'"
- "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
- "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'"
- "(L1) Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'"
- "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'"
- "(L1) Ensure 'Enable password encryption' is set to 'Enabled'"
- "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'"
- "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'"
- "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'"
- "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'"
- "(L1) Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher"
- "(L1) Ensure 'Scan packed executables' is set to 'Enabled'"
- "(L1) Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'"
- "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'"
- "(L1) Ensure 'Automatic Data Collection' is set to 'Enabled'"
- "(L1) Ensure 'Enable optional updates' is set to 'Disabled'"
- "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'"
- "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'"
- "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'"
- "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'"
- "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'"
- "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'"
- "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'"
- "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'"
- "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'"
- "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'"
- "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'"
- "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'"
- "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'"
- "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'"
- "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'"
- "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'"
- "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'"
- "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'"
- "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'"
- "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'"
- "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'"
- "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'"
- "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'"
- "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'"
- "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'"
- "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'"
- "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'"
- "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000' or '5 minutes'"
- "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'"
- "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
- "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
- "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'"
- "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'"
- "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'"
- "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'"
- "(L2) Ensure 'Disable IPv6 (Ensure TCPIP6 Parameter DisabledComponents' is set to '0xff (255)')"
- "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'"
- "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'"
- "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'"
- "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'"
- "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'"
- "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'"
- "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'"
- "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'"
- "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'"
- "(L2) Ensure 'Turn off the 'Order Prints' picture task' is set to 'Enabled'"
- "(L2) Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'"
- "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'"
- "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'"
- "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'"
- "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'"
- "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'"
- "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'"
- "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'"
- "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'"
- "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'"
- "(L2) Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content' is set to 'Enabled'"
- "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'"
- "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'"
- "(L2) Ensure 'Turn off location' is set to 'Enabled'"
- "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'"
- "(L2) Ensure 'Turn off Push To Install service is set to 'Enabled'"
- "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'"
- "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'"
- "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
- "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
- "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'"
- "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'"
- "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'"
- "(L2) Ensure 'Turn off KMS Client Online AVS Validation is set to Enabled"
- "(L2) Ensure 'Disable all apps from Windows Store is set to Disabled"
- "(L2) Ensure 'Ensure 'Turn off the Store application' is set to 'Enabled'"
- "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'"
- "(L2) Ensure 'Configure Watson events' is set to 'Disabled'"
- "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'"
- "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'"
- "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'"
- "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'"
- "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' "
- "(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'"
- "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'"
- "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'"
- "(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'"
- "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'"
- "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'"
- "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'"
- "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'"
- "(L2) Ensure 'Allow search highlights' is set to 'Disabled'"
- "(L2) Ensure 'Turn off account-based insights, recent, favorite, and recommended files in File Explorer' is set to 'Enabled'"
- "(L2) Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'"
- "(L2) Ensure 'Remove Personalized Website Recommendations from the Recommended section in the Start Menu' is set to 'Enabled'"
- "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'"
- "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'"
- "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'"
- "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'"
- "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\\CC_0C0A'"
- "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed' is set to True (checked)'"
- "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'"
- "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'"
- "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed' is set to 'True'"
- "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'"
- "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'"
- "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'"
- "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'"
- "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'"
- "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'"
- "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'"
- "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to Enabled: True'"
- "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'"
- "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Store recovery passwords and key packages'"
- "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'"
- "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'"
- "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'"
- "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'"
- "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'"
- "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'"
- "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'"
- "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'"
- "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to Enabled"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'"
- "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'"
- "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'"
- "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'"
- "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'"
- "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following' is set to 'Enabled'"
- "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'"
- "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'"
- "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'"
- "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'"
- "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'"
- "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'"
- "(BL) Bitlocker Misc (to verify if required)"
- "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'"