diff --git a/docs/solutions/cis/macos-13/configuration-profiles/1.2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.2.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-13/configuration-profiles/1.2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-1.2.mobileconfig
index 5d576e4d7c..9146187809 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/1.2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Auto Update Is Enabled
+ [macOS 13] Ensure Auto Update Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.2
+ com.fleetdm.macos13.cis-1.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/1.3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.3.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/1.3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-1.3.mobileconfig
index a2bd6671ec..6be57dda35 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/1.3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Download New Updates When Available Is Enabled
+ [macOS 13] Ensure Download New Updates When Available Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.3
+ com.fleetdm.macos13.cis-1.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/1.4.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.4.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/1.4.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-1.4.mobileconfig
index bee74453b5..0de7632f0c 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/1.4.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.4.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install of macOS Updates Is Enabled
+ [macOS 13] Ensure Install of macOS Updates Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.4
+ com.fleetdm.macos13.cis-1.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/1.5.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.5.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-14/configuration-profiles/1.5.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-1.5.mobileconfig
index 416b7a0d85..fe5c0f6047 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/1.5.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install Application Updates from the App Store Is Enabled
+ [macOS 13] Ensure Install Application Updates from the App Store Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.5
+ com.fleetdm.macos13.cis-1.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/1.6.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.6.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/1.6.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-1.6.mobileconfig
index 263f12fcb5..327a170e91 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/1.6.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.6.mobileconfig
@@ -22,9 +22,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install Security Responses and System Files Is Enabled
+ [macOS 13] Ensure Install Security Responses and System Files Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.6
+ com.fleetdm.macos13.cis-1.6
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/1.7.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.7.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-13/configuration-profiles/1.7.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-1.7.mobileconfig
index 1dcca5b3b0..adaf7eb7e0 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/1.7.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-1.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Software Update Deferment Is Less Than or Equal to 30 Days
+ [macOS 13] Ensure Software Update Deferment Is Less Than or Equal to 30 Days
PayloadIdentifier
- com.zwass.cis-1.7
+ macos13.com.zwass.cis-1.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.1-enable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.1-enable.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.1.1.1-enable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.1-enable.mobileconfig
index 9a8bc0992f..a591bc30da 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure iCloud Keychain is enabled
+ [macOS 13] Ensure iCloud Keychain is enabled
PayloadIdentifier
- com.fleetdm.cis-2.1.1.1-enable
+ com.fleetdm.macos13.cis-2.1.1.1-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.2-disable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.2-disable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.1.1.2-disable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.2-disable.mobileconfig
index f701b8fa75..e38bb4cea5 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.2-disable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.2-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Disable iCloud Drive storage solution usage
+ [macOS 13] Disable iCloud Drive storage solution usage
PayloadIdentifier
- com.fleetdm.cis-2.1.1.2-disable
+ com.fleetdm.macos13.cis-2.1.1.2-disable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.2-enable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.2-enable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.1.1.2-enable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.2-enable.mobileconfig
index 50d8788d77..e78cf87a1c 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.2-enable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.2-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Enable iCloud Drive storage solution usage
+ [macOS 13] Enable iCloud Drive storage solution usage
PayloadIdentifier
- com.fleetdm.cis-2.1.1.2-enable
+ com.fleetdm.macos13.cis-2.1.1.2-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.3.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.1.1.3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.3.mobileconfig
index a210df0a09..3ea5a820da 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.1.1.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure iCloud Drive Document and Desktop Sync Is Disabled
+ [macOS 13] Ensure iCloud Drive Document and Desktop Sync Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.1.1.3
+ com.fleetdm.macos13.cis-2.1.1.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.10.3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.10.3.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.10.3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.10.3.mobileconfig
index c9ecbd26d5..a77f9d44ad 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.10.3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.10.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure a Custom Message for the Login Screen Is Enabled
+ [macOS 13] Ensure a Custom Message for the Login Screen Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.10.3
+ com.fleetdm.macos13.cis-2.10.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.12.3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.12.3.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.12.3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.12.3.mobileconfig
index 217b1d5ebe..418ec67c20 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.12.3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.12.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Automatic Login Is Disabled
+ [macOS 13] Ensure Automatic Login Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.12.3
+ com.fleetdm.macos13.cis-2.12.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.2.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.2.1.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.2.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.2.1.mobileconfig
index 8f9d756837..28c0fb6395 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Firewall Is Enabled
+ [macOS 13] Ensure Firewall Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.2.1
+ com.fleetdm.macos13.cis-2.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.2.2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.2.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.2.2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.2.2.mobileconfig
index c9c16ef88a..6a35760e2b 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.2.2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.2.2.mobileconfig
@@ -22,9 +22,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Firewall Stealth Mode Is Enabled
+ [macOS 13] Ensure Firewall Stealth Mode Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.2.2
+ com.fleetdm.macos13.cis-2.2.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.3.1.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.1.1.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.3.1.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.1.1.mobileconfig
index 5453a36d7e..c10e3dc49a 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.3.1.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.1.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure AirDrop Is Disabled
+ [macOS 13] Ensure AirDrop Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.1.1
+ com.fleetdm.macos13.cis-2.3.1.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.3.1.2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.1.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.3.1.2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.1.2.mobileconfig
index 707f9c26c6..f09715dab6 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.3.1.2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.1.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure AirPlay Receiver Is Disabled
+ [macOS 13] Ensure AirPlay Receiver Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.1.2
+ com.fleetdm.macos13.cis-2.3.1.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.3.2.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.2.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.3.2.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.2.1.mobileconfig
index f299a44c1f..02442b31b3 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.3.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Set Time and Date Automatically Is Enabled
+ [macOS 13] Ensure Set Time and Date Automatically Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.3.2.1
+ com.fleetdm.macos13.cis-2.3.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.3.3.10.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.3.10.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.3.3.10.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.3.10.mobileconfig
index 28fa7f39e6..06dfd68b3a 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.3.3.10.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.3.10.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Media Sharing is Disabled
+ [macOS 13] Ensure Media Sharing is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.3.10
+ com.fleetdm.macos13.cis-2.3.3.10
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.3.3.9.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.3.9.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.3.3.9.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.3.9.mobileconfig
index 7c5eb6352e..68c4662a5c 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.3.3.9.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.3.3.9.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Content Caching Is Disabled
+ [macOS 13] Ensure Content Caching Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.3.9
+ com.fleetdm.macos13.cis-2.3.3.9
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.4.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.4.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.4.1.mobileconfig
index 528cd219b6..7987519d96 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.4.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Wi-Fi status in Menu Bar Is Enabled
+ [macOS 13] Ensure Show Wi-Fi status in Menu Bar Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.4.1
+ com.fleetdm.macos13.cis-2.4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.4.2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.4.2.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.4.2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.4.2.mobileconfig
index 0d0349d040..d9c70cfd40 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.4.2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.4.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Bluetooth Status in Menu Bar Is Enabled
+ [macOS 13] Ensure Show Bluetooth Status in Menu Bar Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.4.2
+ com.fleetdm.macos13.cis-2.4.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.5.1-disable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.5.1-disable.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.5.1-disable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.5.1-disable.mobileconfig
index cf61d53acb..b34dba1930 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.5.1-disable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.5.1-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Disable Siri
+ [macOS 13] Disable Siri
PayloadIdentifier
- com.fleetdm.cis-2.5.1-disable
+ com.fleetdm.macos13.cis-2.5.1-disable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.5.1-enable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.5.1-enable.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.5.1-enable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.5.1-enable.mobileconfig
index 5bac3db11a..4f65502a3e 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.5.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.5.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Enable Siri
+ [macOS 13] Enable Siri
PayloadIdentifier
- com.fleetdm.cis-2.5.1-enable
+ com.fleetdm.macos13.cis-2.5.1-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.1.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.1.1.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.1.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.1.1.mobileconfig
index 097323330d..458c610eff 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.1.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.1.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Location Services Is Enabled
+ [macOS 13] Ensure Location Services Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.1.1
+ com.fleetdm.macos13.cis-2.6.1.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part1.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part1.mobileconfig
index c57d32092c..6b4823293a 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)
+ [macOS 13] Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part1
+ com.fleetdm.macos13.cis-2.6.2-part1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part2.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part2.mobileconfig
index 363a447e55..b7b0c5b016 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)
+ [macOS 13] Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part2
+ com.fleetdm.macos13.cis-2.6.2-part2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part3.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part3.mobileconfig
index c0e551443d..135cb438f8 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.2-part3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.2-part3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)
+ [macOS 13] Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part3
+ com.fleetdm.macos13.cis-2.6.2-part3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.3.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.3.mobileconfig
index 2bed86338e..54256602c0 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Limit Ad Tracking Is Enabled
+ [macOS 13] Ensure Limit Ad Tracking Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.3
+ com.fleetdm.macos13.cis-2.6.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.4.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.4.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.4.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.4.mobileconfig
index 9cc87eaab2..f5d334f01a 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.4.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.4.mobileconfig
@@ -22,9 +22,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Gatekeeper Is Enabled
+ [macOS 13] Ensure Gatekeeper Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.4
+ com.fleetdm.macos13.cis-2.6.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.5.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.5.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.5.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.5.mobileconfig
index da7247ad2b..ce43d8cc04 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.5.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.6.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure FileVault Is Enabled
+ [macOS 13] Ensure FileVault Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.5
+ com.fleetdm.macos13.cis-2.6.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.8.1-disable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.8.1-disable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.8.1-disable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.8.1-disable.mobileconfig
index 82816dd0ef..57cffb52fb 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.8.1-disable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.8.1-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Universal Control is disabled
+ [macOS 13] Ensure Universal Control is disabled
PayloadIdentifier
- com.fleetdm.cis-2.8.1-disabled
+ com.fleetdm.macos13.cis-2.8.1-disabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.8.1-enable.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.8.1-enable.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.8.1-enable.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-2.8.1-enable.mobileconfig
index 126c98c07c..c8f03e91f8 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.8.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-2.8.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Universal Control is enabled
+ [macOS 13] Ensure Universal Control is enabled
PayloadIdentifier
- com.fleetdm.cis-2.8.1-enabled
+ com.fleetdm.macos13.cis-2.8.1-enabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/3.6.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-3.6.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/3.6.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-3.6.mobileconfig
index a4474aa98e..9ae662b7d3 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/3.6.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-3.6.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Firewall Logging Is Enabled and Configured
+ [macOS 13] Ensure Firewall Logging Is Enabled and Configured
PayloadIdentifier
- com.fleetdm.cis-3.6
+ com.fleetdm.macos13.cis-3.6
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/4.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/4.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-4.1.mobileconfig
index ceecc14821..9e10bca5f9 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/4.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Bonjour Advertising Services Is Disabled
+ [macOS 13] Ensure Bonjour Advertising Services Is Disabled
PayloadIdentifier
- com.fleetdm.cis-4.1
+ com.fleetdm.macos13.cis-4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/5.2.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/5.2.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.1.mobileconfig
index 224bb96c40..de6175b9af 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/5.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Account Lockout Threshold Is Configured
+ [macOS 13] Ensure Password Account Lockout Threshold Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.1
+ com.fleetdm.macos13.cis-5.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/5.2.2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/5.2.2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.2.mobileconfig
index d2b4195a47..a50ab1e008 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/5.2.2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Minimum Length Is Configured
+ [macOS 13] Ensure Password Minimum Length Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.2
+ com.fleetdm.macos13.cis-5.2.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/5.2.3-and-5.2.4.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.3-and-5.2.4.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/5.2.3-and-5.2.4.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.3-and-5.2.4.mobileconfig
index 6555d780ce..59558016c2 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/5.2.3-and-5.2.4.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.3-and-5.2.4.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Require AlphaNumeric characters in password
+ [macOS 13] Require AlphaNumeric characters in password
PayloadIdentifier
- com.fleetdm.cis-5.2.3-and-5.2.4
+ com.fleetdm.macos13.cis-5.2.3-and-5.2.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/5.2.5.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.5.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/5.2.5.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.5.mobileconfig
index 6194054bec..2f3247b84b 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/5.2.5.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Require Special characters in password
+ [macOS 13] Require Special characters in password
PayloadIdentifier
- com.fleetdm.cis-5.2.5
+ com.fleetdm.macos13.cis-5.2.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/5.2.7.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.7.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-13/configuration-profiles/5.2.7.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.7.mobileconfig
index 9645354659..d59a3f654c 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/5.2.7.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Age Is Configured
+ [macOS 13] Ensure Password Age Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.7
+ com.fleetdm.macos13.cis-5.2.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/5.2.8.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.8.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/5.2.8.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.8.mobileconfig
index a52c57d2cd..234bc0b720 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/5.2.8.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-5.2.8.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password History Is Configured
+ [macOS 13] Ensure Password History Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.8
+ com.fleetdm.macos13.cis-5.2.8
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/6.3.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.1.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-13/configuration-profiles/6.3.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.1.mobileconfig
index 10a6bdba7b..86d3c379ad 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/6.3.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Automatic Opening of Safe Files in Safari Is Disabled
+ [macOS 13] Ensure Automatic Opening of Safe Files in Safari Is Disabled
PayloadIdentifier
- com.fleetdm.cis-6.3.1
+ com.fleetdm.macos13.cis-6.3.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/6.3.2.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/6.3.2.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.2.mobileconfig
index bf7839b4ce..63fe66c17c 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/6.3.2.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Audit History and Remove History Items
+ [macOS 13] Audit History and Remove History Items
PayloadIdentifier
- com.fleetdm.cis-6.3.2
+ com.fleetdm.macos13.cis-6.3.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/6.3.3.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.3.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-15/configuration-profiles/6.3.3.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.3.mobileconfig
index 250550d143..91c63190db 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/6.3.3.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
+ [macOS 13] Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.3
+ com.fleetdm.macos13.cis-6.3.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/6.3.4.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.4.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/6.3.4.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.4.mobileconfig
index 88bde35973..0174e90183 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/6.3.4.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.4.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Prevent Cross-site Tracking in Safari Is Enabled
+ [macOS 13] Ensure Prevent Cross-site Tracking in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.4
+ com.fleetdm.macos13.cis-6.3.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/6.3.7.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.7.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/6.3.7.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.7.mobileconfig
index 9351714af6..7c80354c4d 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/6.3.7.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.3.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Full Website Address in Safari Is Enabled
+ [macOS 13] Ensure Show Full Website Address in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.7
+ com.fleetdm.macos13.cis-6.3.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/6.4.1.mobileconfig b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/6.4.1.mobileconfig
rename to docs/solutions/cis/macos-13/configuration-profiles/macos13-6.4.1.mobileconfig
index 9aca882491..7827ff6b28 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/6.4.1.mobileconfig
+++ b/docs/solutions/cis/macos-13/configuration-profiles/macos13-6.4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Secure Keyboard Entry Terminal.app Is Enabled
+ [macOS 13] Ensure Secure Keyboard Entry Terminal.app Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.4.1
+ com.fleetdm.macos13.cis-6.4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/policies/cis-policy-queries.yml b/docs/solutions/cis/macos-13/policies/cis-policy-queries.yml
index f2aa9364d3..fe30b9f777 100644
--- a/docs/solutions/cis/macos-13/policies/cis-policy-queries.yml
+++ b/docs/solutions/cis/macos-13/policies/cis-policy-queries.yml
@@ -2,7 +2,7 @@
# They are preserved for reference and for use by other tooling.
# Affected fields: purpose, tags, contributors, platforms
-- name: CIS - Ensure All Apple-provided Software Is Current (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure All Apple-provided Software Is Current (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -20,7 +20,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.1
# contributors: sharon-fdm
-- name: CIS - Ensure Auto Update Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Auto Update Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically install updates.
@@ -44,7 +44,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.2
# contributors: sharon-fdm
-- name: CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically download updates.
@@ -68,7 +68,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.3
# contributors: sharon-fdm
-- name: CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Ensure that macOS updates are installed after they are available from Apple.
@@ -92,7 +92,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.4
# contributors: sharon-fdm
-- name: CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Ensure that application updates are installed after they are available from Apple.
@@ -116,7 +116,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.5
# contributors: lucasmrod
-- name: CIS - Ensure XProtect Is Running and Updated
+- name: "[macOS 13] CIS - Ensure XProtect Is Running and Updated"
# platforms: macOS
platform: darwin
description: |
@@ -140,7 +140,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth, getvictor
-- name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -168,7 +168,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.6
# contributors: sharon-fdm
-- name: CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)
+- name: "[macOS 13] CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -198,7 +198,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-1.7
# contributors: lucasmrod
-- name: CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -232,7 +232,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.2-disabled, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -266,7 +266,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.2-enabled, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)
+- name: "[macOS 13] CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -301,7 +301,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.1-disable, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Keychain is enabled (if your org policy is to enable it) (MDM Required)
+- name: "[macOS 13] CIS - Ensure iCloud Keychain is enabled (if your org policy is to enable it) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -336,7 +336,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.1-enable, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Automated Document synchronization should be planned and controlled to approved storage.
@@ -365,7 +365,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.1.1.3
# contributors: zwass
-- name: CIS - Ensure Firewall Is Enabled
+- name: "[macOS 13] CIS - Ensure Firewall Is Enabled"
# platforms: macOS
platform: darwin
description: A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet.
@@ -375,7 +375,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.2.1
# contributors: sharon-fdm
-- name: CIS - Ensure Firewall Stealth Mode Is Enabled
+- name: "[macOS 13] CIS - Ensure Firewall Stealth Mode Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -393,7 +393,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.2.2
# contributors: lucasmrod
-- name: CIS - Ensure AirDrop Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure AirDrop Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -424,7 +424,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.1.1
# contributors: lucasmrod
-- name: CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -461,7 +461,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.1.2
# contributors: lucasmrod
-- name: CIS - Ensure Set Time and Date Automatically Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Set Time and Date Automatically Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -491,7 +491,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.2.1
# contributors: sharon-fdm
-- name: CIS - Ensure the Time Service Is Enabled
+- name: "[macOS 13] CIS - Ensure the Time Service Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -505,7 +505,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth
-- name: CIS - Ensure Time Is Set Within Appropriate Limits (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure Time Is Set Within Appropriate Limits (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -517,7 +517,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.2.2
# contributors: lucasmrod
-- name: CIS - Ensure DVD or CD Sharing Is Disabled
+- name: "[macOS 13] CIS - Ensure DVD or CD Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -544,7 +544,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.1
# contributors: artemist-work
-- name: CIS - Ensure Screen Sharing Is Disabled
+- name: "[macOS 13] CIS - Ensure Screen Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -574,7 +574,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.2
# contributors: artemist-work
-- name: CIS - Ensure File Sharing Is Disabled
+- name: "[macOS 13] CIS - Ensure File Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -601,7 +601,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.3
# contributors: artemist-work
-- name: CIS - Ensure Printer Sharing is Disabled
+- name: "[macOS 13] CIS - Ensure Printer Sharing is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -626,7 +626,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.4
# contributors: artemist-work
-- name: CIS - Ensure Remote Login Is Disabled
+- name: "[macOS 13] CIS - Ensure Remote Login Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -656,7 +656,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.5
# contributors: artemist-work
-- name: CIS - Ensure Remote Management is Disabled
+- name: "[macOS 13] CIS - Ensure Remote Management is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -681,7 +681,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.6
# contributors: artemist-work
-- name: CIS - Ensure Remote Apple Events is Disabled
+- name: "[macOS 13] CIS - Ensure Remote Apple Events is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -709,7 +709,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.7
# contributors: artemist-work
-- name: CIS - Ensure Internet Sharing Is Disabled
+- name: "[macOS 13] CIS - Ensure Internet Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -734,7 +734,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.8
# contributors: artemist-work
-- name: CIS - Ensure Content Caching Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Content Caching Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -770,7 +770,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.3.3.9
# contributors: sharon-fdm
-- name: CIS - Ensure Bluetooth Sharing Is Disabled
+- name: "[macOS 13] CIS - Ensure Bluetooth Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -804,7 +804,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.11
# contributors: artemist-work, getvictor
-- name: CIS - Ensure Media Sharing Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Media Sharing Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -857,7 +857,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.3.10
# contributors: artemist-work
-- name: CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)
+- name: "[macOS 13] CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -885,7 +885,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.3.4.1
# contributors: lucasmrod
-- name: CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)
+- name: "[macOS 13] CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -919,7 +919,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.3.4.2
# contributors: lucasmrod
-- name: CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -953,7 +953,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.4.1
# contributors: lucasmrod
-- name: CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -986,7 +986,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.4.2
# contributors: lucasmrod
-- name: CIS - Ensure Siri is disabled (MDM required)
+- name: "[macOS 13] CIS - Ensure Siri is disabled (MDM required)"
# platforms: macOS
platform: darwin
description: |
@@ -1019,7 +1019,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure Siri field TypeToSiriEnabled is true (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field TypeToSiriEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1045,7 +1045,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-TypeToSiriEnabled-true, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field TypeToSiriEnabled is false (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field TypeToSiriEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1071,7 +1071,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-TypeToSiriEnabled-false, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field StatusMenuVisible is true (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field StatusMenuVisible is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1097,7 +1097,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-StatusMenuVisible-true, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field StatusMenuVisible is false (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field StatusMenuVisible is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1123,7 +1123,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-StatusMenuVisible-false, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field VoiceTriggerUserEnabled is true (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field VoiceTriggerUserEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1149,7 +1149,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-VoiceTriggerUserEnabled-true, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field VoiceTriggerUserEnabled is false (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field VoiceTriggerUserEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1175,7 +1175,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-VoiceTriggerUserEnabled-false, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field LockscreenEnabled is true (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field LockscreenEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1201,7 +1201,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-LockscreenEnabled-true, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field LockscreenEnabled is false (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Siri field LockscreenEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1227,7 +1227,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.5.1-LockscreenEnabled-false, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Enabled
+- name: "[macOS 13] CIS - Ensure Location Services Is Enabled"
# platforms: macOS
platform: darwin
description: Checks that Location Services option is enabled.
@@ -1245,7 +1245,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.1.1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
+- name: "[macOS 13] CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled"
# platforms: macOS
platform: darwin
description: This setting provides the user an understanding of the current status of Location Services and which applications are using it.
@@ -1265,7 +1265,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1287,7 +1287,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.1.3-Location-Service-disabled
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1351,7 +1351,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.1.3-Location-Service-specifc-app-enabled, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Ensure Limit Ad Tracking Is Enabled.
@@ -1382,7 +1382,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.6.3
# contributors: sharon-fdm
-- name: CIS - Ensure an Administrator Password Is Required to Access System-Wide Preferences (Fleetd required)
+- name: "[macOS 13] CIS - Ensure an Administrator Password Is Required to Access System-Wide Preferences (Fleetd required)"
# platforms: macOS
platform: darwin
description: Checks that an Administrator Password Is Required to Access System-Wide Preferences
@@ -1398,7 +1398,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.6.7
# contributors: artemist-work
-- name: CIS - Ensure Screen Saver Corners Are Secure (FDA Required)
+- name: "[macOS 13] CIS - Ensure Screen Saver Corners Are Secure (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1431,7 +1431,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.7.1
# contributors: lucasmrod
-- name: CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)
+- name: "[macOS 13] CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1465,7 +1465,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.8.1-enabled, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)
+- name: "[macOS 13] CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1499,7 +1499,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.8.1-disabled, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1528,7 +1528,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.9.1
# contributors: lucasmrod
-- name: CIS - Ensure Wake for Network Access Is Disabled (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure Wake for Network Access Is Disabled (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1556,7 +1556,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.9.2
# contributors: lucasmrod
-- name: CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)
+- name: "[macOS 13] CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1629,7 +1629,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.9.3
# contributors: lucasmrod
-- name: CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.
@@ -1674,7 +1674,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.2
# contributors: sharon-fdm
-- name: CIS - Ensure Gatekeeper Is Enabled
+- name: "[macOS 13] CIS - Ensure Gatekeeper Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -1692,7 +1692,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.6.4
# contributors: sharon-fdm
-- name: CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Sending Diagnostic and Usage Data to Apple Is Disabled.
@@ -1752,7 +1752,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-2.6.2
# contributors: sharon-fdm
-- name: CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop- down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
@@ -1783,7 +1783,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.1
# contributors: sharon-fdm
-- name: CIS - Ensure a Custom Message for the Login Screen Is Enabled
+- name: "[macOS 13] CIS - Ensure a Custom Message for the Login Screen Is Enabled"
# platforms: macOS
platform: darwin
description: An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored
@@ -1800,7 +1800,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.3
# contributors: sharon-fdm
-- name: CIS - Ensure FileVault Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure FileVault Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that FileVault Is Enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it.
@@ -1839,7 +1839,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.6.5
# contributors: sharon-fdm
-- name: CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks Login Window Displays as Name and Password Is Enabled.
@@ -1870,7 +1870,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.4
# contributors: sharon-fdm
-- name: CIS - Ensure Show Password Hints Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Show Password Hints Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks Show Password Hints Is Disabled.
@@ -1901,7 +1901,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.10.5
# contributors: sharon-fdm
-- name: CIS - Ensure Users' Accounts Do Not Have a Password Hint (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure Users' Accounts Do Not Have a Password Hint (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1920,7 +1920,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.11.1
# contributors: sharon-fdm
-- name: CIS - Ensure Guest Account Is Disabled
+- name: "[macOS 13] CIS - Ensure Guest Account Is Disabled"
# platforms: macOS
platform: darwin
description: Checks that Guest Account Is Disabled.
@@ -1939,7 +1939,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.12.1
# contributors: sharon-fdm
-- name: CIS - Ensure Guest Access to Shared Folders Is Disabled
+- name: "[macOS 13] CIS - Ensure Guest Access to Shared Folders Is Disabled"
# platforms: macOS
platform: darwin
description: Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network
@@ -1958,7 +1958,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.12.2
# contributors: sharon-fdm
-- name: CIS - Ensure Automatic Login Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Automatic Login Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1995,7 +1995,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-2.12.3
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Is Enabled
+- name: "[macOS 13] CIS - Ensure Security Auditing Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2022,7 +2022,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-3.1
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements
+- name: "[macOS 13] CIS - Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements"
# platforms: macOS
platform: darwin
description: |
@@ -2074,7 +2074,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-3.2
# contributors: sharon-fdm
-- name: CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size
+- name: "[macOS 13] CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size"
# platforms: macOS
platform: darwin
description: |
@@ -2101,7 +2101,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-3.3
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Retention Is Enabled
+- name: "[macOS 13] CIS - Ensure Security Auditing Retention Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2127,7 +2127,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-3.4
# contributors: sharon-fdm
-- name: CIS - Ensure Access to Audit Records Is Controlled
+- name: "[macOS 13] CIS - Ensure Access to Audit Records Is Controlled"
# platforms: macOS
platform: darwin
description: |
@@ -2171,7 +2171,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-3.5
# contributors: sharon-fdm
-- name: CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)
+- name: "[macOS 13] CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2236,7 +2236,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-3.6
# contributors: sharon-fdm
-- name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2269,7 +2269,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-4.1
# contributors: lucasmrod
-- name: CIS - Ensure HTTP Server Is Disabled
+- name: "[macOS 13] CIS - Ensure HTTP Server Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -2285,7 +2285,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-4.2
# contributors: lucasmrod
-- name: CIS - Ensure NFS Server Is Disabled
+- name: "[macOS 13] CIS - Ensure NFS Server Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -2314,7 +2314,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-4.3
# contributors: lucasmrod, getvictor
-- name: CIS - Ensure Home Folders Are Secure
+- name: "[macOS 13] CIS - Ensure Home Folders Are Secure"
# platforms: macOS
platform: darwin
description: |
@@ -2340,7 +2340,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.1.1
# contributors: sharon-fdm
-- name: CIS - Ensure System Integrity Protection Status (SIP) Is Enabled
+- name: "[macOS 13] CIS - Ensure System Integrity Protection Status (SIP) Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2358,7 +2358,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.1.2
# contributors: sharon-fdm
-- name: CIS - Ensure Apple Mobile File Integrity (AMFI) Is Enabled (fleetd required)
+- name: "[macOS 13] CIS - Ensure Apple Mobile File Integrity (AMFI) Is Enabled (fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2373,7 +2373,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.1.3
# contributors: sharon-fdm
-- name: CIS - Ensure Sealed System Volume (SSV) Is Enabled (fleetd required)
+- name: "[macOS 13] CIS - Ensure Sealed System Volume (SSV) Is Enabled (fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2388,7 +2388,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.1.4
# contributors: sharon-fdm
-- name: CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications
+- name: "[macOS 13] CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications"
# platforms: macOS
platform: darwin
description: |
@@ -2414,7 +2414,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.1.5
# contributors: sharon-fdm
-- name: CIS - Ensure No World Writable Files Exist in the System Folder
+- name: "[macOS 13] CIS - Ensure No World Writable Files Exist in the System Folder"
# platforms: macOS
platform: darwin
description: |
@@ -2438,7 +2438,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.1.6
# contributors: sharon-fdm
-- name: CIS - Ensure No World Writable Folders Exist in the Library Folder (Fleetd required)
+- name: "[macOS 13] CIS - Ensure No World Writable Folders Exist in the Library Folder (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2483,7 +2483,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.1.7
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)
+- name: "[macOS 13] CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2501,7 +2501,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.2.1
# contributors: sharon-fdm
-- name: CIS - Ensure Password Minimum Length Is Configured
+- name: "[macOS 13] CIS - Ensure Password Minimum Length Is Configured"
# platforms: macOS
platform: darwin
description: |
@@ -2527,7 +2527,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.2.2
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)
+- name: "[macOS 13] CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2556,7 +2556,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.2.3, CIS-macos-13-5.2.4
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Special Character Is Configured (MDM Required)
+- name: "[macOS 13] CIS - Ensure Complex Password Must Contain Special Character Is Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2582,7 +2582,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.2.5
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Fleetd required)
+- name: "[macOS 13] CIS - Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2596,7 +2596,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.2.6
# contributors: sharon-fdm
-- name: CIS - Ensure Password Age Is Configured (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure Password Age Is Configured (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2618,7 +2618,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.2.7
# contributors: sharon-fdm
-- name: CIS - Ensure password history is set to at least 24 (MDM required)
+- name: "[macOS 13] CIS - Ensure password history is set to at least 24 (MDM required)"
# platforms: macOS
platform: darwin
description: |
@@ -2634,7 +2634,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.2.8
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure all user storage APFS volumes are encrypted (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure all user storage APFS volumes are encrypted (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2665,7 +2665,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.3.1
# contributors: artemist-work
-- name: CIS - Ensure all user storage CoreStorage volumes are encrypted (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure all user storage CoreStorage volumes are encrypted (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2684,7 +2684,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.3.2
# contributors: artemist-work
-- name: CIS - Ensure the Sudo Timeout Period Is Set to Zero (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure the Sudo Timeout Period Is Set to Zero (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2709,7 +2709,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.4
# contributors: lucasmrod
-- name: CIS - Ensure a Separate Timestamp Is Enabled for Each User/tty (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure a Separate Timestamp Is Enabled for Each User/tty (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2733,7 +2733,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.5
# contributors: lucasmrod
-- name: CIS - Ensure the "root" Account Is Disabled (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure the \"root\" Account Is Disabled (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2752,7 +2752,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.6
# contributors: lucasmrod
-- name: CIS - Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2782,7 +2782,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod, getvictor
-- name: CIS - Ensure a Login Window Banner Exists
+- name: "[macOS 13] CIS - Ensure a Login Window Banner Exists"
# platforms: macOS
platform: darwin
description: |
@@ -2804,7 +2804,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-5.8
# contributors: lucasmrod
-- name: CIS - Ensure Legacy EFI Is Valid and Updating (Fleetd Required)
+- name: "[macOS 13] CIS - Ensure Legacy EFI Is Valid and Updating (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2831,7 +2831,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.9
# contributors: lucasmrod
-- name: CIS - Ensure the Guest Home Folder Does Not Exist
+- name: "[macOS 13] CIS - Ensure the Guest Home Folder Does Not Exist"
# platforms: macOS
platform: darwin
description: |
@@ -2846,7 +2846,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-5.10
# contributors: lucasmrod
-- name: CIS - Ensure Show All Filename Extensions Setting is Enabled
+- name: "[macOS 13] CIS - Ensure Show All Filename Extensions Setting is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2880,7 +2880,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.1.1
# contributors: artemist-work, getvictor
-- name: CIS - Ensure Automatic Opening of Safe Files in Safari Is Disabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Automatic Opening of Safe Files in Safari Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2915,7 +2915,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.1
# contributors: artemist-work
-- name: CIS - Audit Safari Web Browser History and Remove History Items (organization decision needed)(MDM Required)
+- name: "[macOS 13] CIS - Audit Safari Web Browser History and Remove History Items (organization decision needed)(MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2964,7 +2964,7 @@
# tags: compliance, CIS, CIS_Level2, CIS-macos-13-6.3.2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2993,7 +2993,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.3
# contributors: artemist-work
-- name: CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3054,7 +3054,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.4
# contributors: lucasmrod
-- name: CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -3082,7 +3082,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.5-enabled, decision-needed
# contributors: artemist-work
-- name: CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy)
+- name: "[macOS 13] CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -3112,7 +3112,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.5-disabled, decision-needed
# contributors: artemist-work
-- name: CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required)
+- name: "[macOS 13] CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3143,7 +3143,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.6
# contributors: artemist-work
-- name: CIS - Ensure Show Full Website Address in Safari Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Show Full Website Address in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3181,7 +3181,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-13-6.3.7
# contributors: sharon-fdm
-- name: CIS - Ensure Show Status Bar Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Show Status Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3202,7 +3202,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth
-- name: CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)
+- name: "[macOS 13] CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.10.3.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.10.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.10.3.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.10.3.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.10.4.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.10.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.10.4.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.10.4.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.10.5.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.10.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.10.5.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.10.5.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.11.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.11.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.11.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.11.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.12.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.12.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.12.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.12.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.12.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.12.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.12.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.12.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.12.3.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.12.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.12.3.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.12.3.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.3.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.3.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.3.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.4.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.4.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.4.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.5.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.5.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.5.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.6.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.6.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.6.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.7.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.7.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.7.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.3.8.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.8.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.3.8.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.3.8.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.3.4.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.4.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.3.4.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.3.4.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.6.1.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.1.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.6.1.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.1.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.6.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.6.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.6.4.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.6.4.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.4.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.6.7.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.7.sh
similarity index 92%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.6.7.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.7.sh
index e2563cf423..e62cc4885a 100644
--- a/docs/solutions/cis/macos-13/scripts/CIS_2.6.7.sh
+++ b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.6.7.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
set -eu
sudo security authorizationdb read system.preferences > /tmp/system.preferences.plist
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.7.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.7.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.7.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.7.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.9.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.9.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.9.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.9.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.9.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.9.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.9.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.9.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_2.9.3.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_2.9.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_2.9.3.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_2.9.3.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_3.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_3.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_3.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_3.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_3.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_3.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_3.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_3.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_3.3.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_3.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_3.3.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_3.3.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_3.4.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_3.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_3.4.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_3.4.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_3.5.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_3.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_3.5.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_3.5.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_4.2.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_4.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_4.2.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_4.2.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_4.3.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_4.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_4.3.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_4.3.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.1.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.1.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.1.5.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.1.5.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.5.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.1.6.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.1.6.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.6.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.1.7.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.1.7.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.1.7.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.10.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.10.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.10.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.10.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.4.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.4.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.4.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.5.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.5.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.5.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.6.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.6.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.6.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.7.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.7.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.7.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_5.8.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_5.8.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_5.8.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_5.8.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_6.1.1.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_6.1.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_6.1.1.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_6.1.1.sh
diff --git a/docs/solutions/cis/macos-13/scripts/CIS_6.3.6.sh b/docs/solutions/cis/macos-13/scripts/macos13-CIS_6.3.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-13/scripts/CIS_6.3.6.sh
rename to docs/solutions/cis/macos-13/scripts/macos13-CIS_6.3.6.sh
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/1.2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.2.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-14/configuration-profiles/1.2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-1.2.mobileconfig
index 5d576e4d7c..62c2401aff 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/1.2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Auto Update Is Enabled
+ [macOS 14] Ensure Auto Update Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.2
+ com.fleetdm.macos14.cis-1.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/1.3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.3.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/1.3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-1.3.mobileconfig
index a2bd6671ec..3aee6c2c7c 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/1.3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Download New Updates When Available Is Enabled
+ [macOS 14] Ensure Download New Updates When Available Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.3
+ com.fleetdm.macos14.cis-1.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/1.4.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.4.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/1.4.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-1.4.mobileconfig
index bee74453b5..e62484e98d 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/1.4.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.4.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install of macOS Updates Is Enabled
+ [macOS 14] Ensure Install of macOS Updates Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.4
+ com.fleetdm.macos14.cis-1.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/1.5.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.5.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-15/configuration-profiles/1.5.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-1.5.mobileconfig
index 416b7a0d85..0d9a98e4d6 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/1.5.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install Application Updates from the App Store Is Enabled
+ [macOS 14] Ensure Install Application Updates from the App Store Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.5
+ com.fleetdm.macos14.cis-1.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/1.6.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.6.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/1.6.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-1.6.mobileconfig
index 263f12fcb5..d897e7c8cc 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/1.6.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.6.mobileconfig
@@ -22,9 +22,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install Security Responses and System Files Is Enabled
+ [macOS 14] Ensure Install Security Responses and System Files Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.6
+ com.fleetdm.macos14.cis-1.6
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/1.7.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.7.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-14/configuration-profiles/1.7.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-1.7.mobileconfig
index 1dcca5b3b0..88c2b2c798 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/1.7.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-1.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Software Update Deferment Is Less Than or Equal to 30 Days
+ [macOS 14] Ensure Software Update Deferment Is Less Than or Equal to 30 Days
PayloadIdentifier
- com.zwass.cis-1.7
+ macos14.com.zwass.cis-1.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.1-enable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.1-enable.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.1.1.1-enable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.1-enable.mobileconfig
index 9a8bc0992f..ca0a4341a4 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure iCloud Keychain is enabled
+ [macOS 14] Ensure iCloud Keychain is enabled
PayloadIdentifier
- com.fleetdm.cis-2.1.1.1-enable
+ com.fleetdm.macos14.cis-2.1.1.1-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.2-disable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.2-disable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.1.1.2-disable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.2-disable.mobileconfig
index f701b8fa75..00b4816014 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.2-disable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.2-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Disable iCloud Drive storage solution usage
+ [macOS 14] Disable iCloud Drive storage solution usage
PayloadIdentifier
- com.fleetdm.cis-2.1.1.2-disable
+ com.fleetdm.macos14.cis-2.1.1.2-disable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.2-enable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.2-enable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.1.1.2-enable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.2-enable.mobileconfig
index 50d8788d77..47c1f11918 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.2-enable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.2-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Enable iCloud Drive storage solution usage
+ [macOS 14] Enable iCloud Drive storage solution usage
PayloadIdentifier
- com.fleetdm.cis-2.1.1.2-enable
+ com.fleetdm.macos14.cis-2.1.1.2-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.3.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.1.1.3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.3.mobileconfig
index a210df0a09..5ad3d3f608 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.1.1.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure iCloud Drive Document and Desktop Sync Is Disabled
+ [macOS 14] Ensure iCloud Drive Document and Desktop Sync Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.1.1.3
+ com.fleetdm.macos14.cis-2.1.1.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.10.3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.10.3.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.10.3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.10.3.mobileconfig
index c9ecbd26d5..7f6964e0ff 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.10.3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.10.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure a Custom Message for the Login Screen Is Enabled
+ [macOS 14] Ensure a Custom Message for the Login Screen Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.10.3
+ com.fleetdm.macos14.cis-2.10.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.12.3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.12.3.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.12.3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.12.3.mobileconfig
index 217b1d5ebe..710acea494 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.12.3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.12.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Automatic Login Is Disabled
+ [macOS 14] Ensure Automatic Login Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.12.3
+ com.fleetdm.macos14.cis-2.12.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.2.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.2.1.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.2.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.2.1.mobileconfig
index 8f9d756837..8d11ed3164 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Firewall Is Enabled
+ [macOS 14] Ensure Firewall Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.2.1
+ com.fleetdm.macos14.cis-2.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.2.2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.2.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.2.2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.2.2.mobileconfig
index c9c16ef88a..dfec1969c4 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.2.2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.2.2.mobileconfig
@@ -22,9 +22,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Firewall Stealth Mode Is Enabled
+ [macOS 14] Ensure Firewall Stealth Mode Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.2.2
+ com.fleetdm.macos14.cis-2.2.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.3.1.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.1.1.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.3.1.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.1.1.mobileconfig
index 5453a36d7e..1d2f9cbda4 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.3.1.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.1.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure AirDrop Is Disabled
+ [macOS 14] Ensure AirDrop Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.1.1
+ com.fleetdm.macos14.cis-2.3.1.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.3.1.2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.1.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.3.1.2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.1.2.mobileconfig
index 707f9c26c6..4168a884f1 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.3.1.2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.1.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure AirPlay Receiver Is Disabled
+ [macOS 14] Ensure AirPlay Receiver Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.1.2
+ com.fleetdm.macos14.cis-2.3.1.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.3.2.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.2.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.3.2.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.2.1.mobileconfig
index f299a44c1f..62929e0413 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.3.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Set Time and Date Automatically Is Enabled
+ [macOS 14] Ensure Set Time and Date Automatically Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.3.2.1
+ com.fleetdm.macos14.cis-2.3.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.3.3.10.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.3.10.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.3.3.10.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.3.10.mobileconfig
index 28fa7f39e6..4724b628b3 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.3.3.10.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.3.10.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Media Sharing is Disabled
+ [macOS 14] Ensure Media Sharing is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.3.10
+ com.fleetdm.macos14.cis-2.3.3.10
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.3.3.9.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.3.9.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.3.3.9.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.3.9.mobileconfig
index 7c5eb6352e..81b170c1b0 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.3.3.9.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.3.3.9.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Content Caching Is Disabled
+ [macOS 14] Ensure Content Caching Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.3.9
+ com.fleetdm.macos14.cis-2.3.3.9
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.4.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.4.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.4.1.mobileconfig
index 528cd219b6..af7f047b2b 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.4.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Wi-Fi status in Menu Bar Is Enabled
+ [macOS 14] Ensure Show Wi-Fi status in Menu Bar Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.4.1
+ com.fleetdm.macos14.cis-2.4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.4.2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.4.2.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.4.2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.4.2.mobileconfig
index 0d0349d040..3c0b3e8850 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.4.2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.4.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Bluetooth Status in Menu Bar Is Enabled
+ [macOS 14] Ensure Show Bluetooth Status in Menu Bar Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.4.2
+ com.fleetdm.macos14.cis-2.4.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.5.1-disable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.5.1-disable.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.5.1-disable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.5.1-disable.mobileconfig
index cf61d53acb..0d4c1c1171 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.5.1-disable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.5.1-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Disable Siri
+ [macOS 14] Disable Siri
PayloadIdentifier
- com.fleetdm.cis-2.5.1-disable
+ com.fleetdm.macos14.cis-2.5.1-disable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.5.1-enable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.5.1-enable.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.5.1-enable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.5.1-enable.mobileconfig
index 5bac3db11a..51cbfac3c7 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.5.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.5.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Enable Siri
+ [macOS 14] Enable Siri
PayloadIdentifier
- com.fleetdm.cis-2.5.1-enable
+ com.fleetdm.macos14.cis-2.5.1-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.1.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.1.1.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.1.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.1.1.mobileconfig
index 097323330d..68a47550af 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.1.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.1.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Location Services Is Enabled
+ [macOS 14] Ensure Location Services Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.1.1
+ com.fleetdm.macos14.cis-2.6.1.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part1.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part1.mobileconfig
index c57d32092c..eca1065cec 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)
+ [macOS 14] Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part1
+ com.fleetdm.macos14.cis-2.6.2-part1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part2.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part2.mobileconfig
index 363a447e55..c1c9e7b4a7 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)
+ [macOS 14] Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part2
+ com.fleetdm.macos14.cis-2.6.2-part2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part3.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part3.mobileconfig
index c0e551443d..2e0ea62f60 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.2-part3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.2-part3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)
+ [macOS 14] Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part3
+ com.fleetdm.macos14.cis-2.6.2-part3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.3.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.3.mobileconfig
index 2bed86338e..c7d6bed381 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Limit Ad Tracking Is Enabled
+ [macOS 14] Ensure Limit Ad Tracking Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.3
+ com.fleetdm.macos14.cis-2.6.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.6.4.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.4.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.6.4.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.4.mobileconfig
index 9cc87eaab2..7fa7d0da69 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.6.4.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.4.mobileconfig
@@ -22,9 +22,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Gatekeeper Is Enabled
+ [macOS 14] Ensure Gatekeeper Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.4
+ com.fleetdm.macos14.cis-2.6.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.6.5.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.5.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.6.5.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.5.mobileconfig
index da7247ad2b..c720ce32cc 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.6.5.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.6.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure FileVault Is Enabled
+ [macOS 14] Ensure FileVault Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.5
+ com.fleetdm.macos14.cis-2.6.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.8.1-disable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.8.1-disable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.8.1-disable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.8.1-disable.mobileconfig
index 82816dd0ef..7c04dd4a91 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.8.1-disable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.8.1-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Universal Control is disabled
+ [macOS 14] Ensure Universal Control is disabled
PayloadIdentifier
- com.fleetdm.cis-2.8.1-disabled
+ com.fleetdm.macos14.cis-2.8.1-disabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.8.1-enable.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.8.1-enable.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.8.1-enable.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-2.8.1-enable.mobileconfig
index 126c98c07c..903075f624 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.8.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-2.8.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Universal Control is enabled
+ [macOS 14] Ensure Universal Control is enabled
PayloadIdentifier
- com.fleetdm.cis-2.8.1-enabled
+ com.fleetdm.macos14.cis-2.8.1-enabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/3.6.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-3.6.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/3.6.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-3.6.mobileconfig
index a4474aa98e..8a3cb8c73e 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/3.6.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-3.6.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Firewall Logging Is Enabled and Configured
+ [macOS 14] Ensure Firewall Logging Is Enabled and Configured
PayloadIdentifier
- com.fleetdm.cis-3.6
+ com.fleetdm.macos14.cis-3.6
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/4.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/4.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-4.1.mobileconfig
index ceecc14821..f088e383fe 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/4.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Bonjour Advertising Services Is Disabled
+ [macOS 14] Ensure Bonjour Advertising Services Is Disabled
PayloadIdentifier
- com.fleetdm.cis-4.1
+ com.fleetdm.macos14.cis-4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/5.2.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/5.2.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.1.mobileconfig
index 224bb96c40..9e385080d9 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/5.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Account Lockout Threshold Is Configured
+ [macOS 14] Ensure Password Account Lockout Threshold Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.1
+ com.fleetdm.macos14.cis-5.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/5.2.2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/5.2.2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.2.mobileconfig
index d2b4195a47..a4d0752d38 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/5.2.2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Minimum Length Is Configured
+ [macOS 14] Ensure Password Minimum Length Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.2
+ com.fleetdm.macos14.cis-5.2.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/5.2.3-and-5.2.4.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.3-and-5.2.4.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/5.2.3-and-5.2.4.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.3-and-5.2.4.mobileconfig
index 6555d780ce..3092b3025e 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/5.2.3-and-5.2.4.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.3-and-5.2.4.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Require AlphaNumeric characters in password
+ [macOS 14] Require AlphaNumeric characters in password
PayloadIdentifier
- com.fleetdm.cis-5.2.3-and-5.2.4
+ com.fleetdm.macos14.cis-5.2.3-and-5.2.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/5.2.5.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.5.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/5.2.5.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.5.mobileconfig
index 6194054bec..bca8eea1ad 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/5.2.5.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Require Special characters in password
+ [macOS 14] Require Special characters in password
PayloadIdentifier
- com.fleetdm.cis-5.2.5
+ com.fleetdm.macos14.cis-5.2.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/5.2.7.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.7.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-14/configuration-profiles/5.2.7.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.7.mobileconfig
index 9645354659..ac8a5f284b 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/5.2.7.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Age Is Configured
+ [macOS 14] Ensure Password Age Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.7
+ com.fleetdm.macos14.cis-5.2.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/5.2.8.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.8.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/5.2.8.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.8.mobileconfig
index a52c57d2cd..91aa9be18a 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/5.2.8.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-5.2.8.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password History Is Configured
+ [macOS 14] Ensure Password History Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.8
+ com.fleetdm.macos14.cis-5.2.8
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/6.3.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.1.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-15/configuration-profiles/6.3.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.1.mobileconfig
index 10a6bdba7b..b7ef07fa6d 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/6.3.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Automatic Opening of Safe Files in Safari Is Disabled
+ [macOS 14] Ensure Automatic Opening of Safe Files in Safari Is Disabled
PayloadIdentifier
- com.fleetdm.cis-6.3.1
+ com.fleetdm.macos14.cis-6.3.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/6.3.2.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/6.3.2.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.2.mobileconfig
index bf7839b4ce..add3749595 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/6.3.2.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Audit History and Remove History Items
+ [macOS 14] Audit History and Remove History Items
PayloadIdentifier
- com.fleetdm.cis-6.3.2
+ com.fleetdm.macos14.cis-6.3.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/6.3.3.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.3.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-13/configuration-profiles/6.3.3.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.3.mobileconfig
index 250550d143..d1e27d9e73 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/6.3.3.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
+ [macOS 14] Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.3
+ com.fleetdm.macos14.cis-6.3.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/6.3.4.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.4.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/6.3.4.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.4.mobileconfig
index 88bde35973..b510f34dc5 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/6.3.4.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.4.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Prevent Cross-site Tracking in Safari Is Enabled
+ [macOS 14] Ensure Prevent Cross-site Tracking in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.4
+ com.fleetdm.macos14.cis-6.3.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/6.3.7.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.7.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/6.3.7.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.7.mobileconfig
index 9351714af6..e22099c74f 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/6.3.7.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.3.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Full Website Address in Safari Is Enabled
+ [macOS 14] Ensure Show Full Website Address in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.7
+ com.fleetdm.macos14.cis-6.3.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/6.4.1.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/6.4.1.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-6.4.1.mobileconfig
index 9aca882491..094ff9e6ce 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/6.4.1.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-6.4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Secure Keyboard Entry Terminal.app Is Enabled
+ [macOS 14] Ensure Secure Keyboard Entry Terminal.app Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.4.1
+ com.fleetdm.macos14.cis-6.4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/on-device-dictation-enabled.mobileconfig b/docs/solutions/cis/macos-14/configuration-profiles/macos14-on-device-dictation-enabled.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/on-device-dictation-enabled.mobileconfig
rename to docs/solutions/cis/macos-14/configuration-profiles/macos14-on-device-dictation-enabled.mobileconfig
index 933ee01f92..3cd89cc56a 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/on-device-dictation-enabled.mobileconfig
+++ b/docs/solutions/cis/macos-14/configuration-profiles/macos14-on-device-dictation-enabled.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
Ensures dictation requests are processed on-device only and never sent to external servers.
PayloadDisplayName
- Ensure On-Device Dictation Is Enabled
+ [macOS 14] Ensure On-Device Dictation Is Enabled
PayloadIdentifier
- com.fleetdm.cis-on-device-dictation-enabled
+ com.fleetdm.macos14.cis-on-device-dictation-enabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/policies/cis-policy-queries.yml b/docs/solutions/cis/macos-14/policies/cis-policy-queries.yml
index 7d27fb1ec1..5b4fef27c1 100644
--- a/docs/solutions/cis/macos-14/policies/cis-policy-queries.yml
+++ b/docs/solutions/cis/macos-14/policies/cis-policy-queries.yml
@@ -2,7 +2,7 @@
# They are preserved for reference and for use by other tooling.
# Affected fields: purpose, tags, contributors, platforms
-- name: CIS - Ensure All Apple-provided Software Is Current (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure All Apple-provided Software Is Current (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -20,7 +20,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Auto Update Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Auto Update Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically install updates.
@@ -44,7 +44,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically download updates.
@@ -68,7 +68,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Ensure that macOS updates are installed after they are available from Apple.
@@ -92,7 +92,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Ensure that application updates are installed after they are available from Apple.
@@ -116,7 +116,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure XProtect Is Running and Updated
+- name: "[macOS 14] CIS - Ensure XProtect Is Running and Updated"
# platforms: macOS
platform: darwin
description: |
@@ -140,7 +140,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth, getvictor
-- name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -168,7 +168,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)
+- name: "[macOS 14] CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -198,7 +198,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -232,7 +232,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -266,7 +266,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)
+- name: "[macOS 14] CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -301,7 +301,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Keychain is enabled (if your org policy is to enable it) (MDM Required)
+- name: "[macOS 14] CIS - Ensure iCloud Keychain is enabled (if your org policy is to enable it) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -336,7 +336,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Automated Document synchronization should be planned and controlled to approved storage.
@@ -365,7 +365,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: zwass
-- name: CIS - Ensure Firewall Is Enabled
+- name: "[macOS 14] CIS - Ensure Firewall Is Enabled"
# platforms: macOS
platform: darwin
description: A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet.
@@ -375,7 +375,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Firewall Stealth Mode Is Enabled
+- name: "[macOS 14] CIS - Ensure Firewall Stealth Mode Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -393,7 +393,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure AirDrop Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure AirDrop Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -424,7 +424,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -461,7 +461,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Set Time and Date Automatically Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Set Time and Date Automatically Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -491,7 +491,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure the Time Service Is Enabled
+- name: "[macOS 14] CIS - Ensure the Time Service Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -505,7 +505,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth
-- name: CIS - Ensure DVD or CD Sharing Is Disabled
+- name: "[macOS 14] CIS - Ensure DVD or CD Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -532,7 +532,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Screen Sharing Is Disabled
+- name: "[macOS 14] CIS - Ensure Screen Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -562,7 +562,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure File Sharing Is Disabled
+- name: "[macOS 14] CIS - Ensure File Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -589,7 +589,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Printer Sharing is Disabled
+- name: "[macOS 14] CIS - Ensure Printer Sharing is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -614,7 +614,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Remote Login Is Disabled
+- name: "[macOS 14] CIS - Ensure Remote Login Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -644,7 +644,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Remote Management is Disabled
+- name: "[macOS 14] CIS - Ensure Remote Management is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -669,7 +669,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Remote Apple Events is Disabled
+- name: "[macOS 14] CIS - Ensure Remote Apple Events is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -697,7 +697,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Internet Sharing Is Disabled
+- name: "[macOS 14] CIS - Ensure Internet Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -722,7 +722,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Content Caching Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Content Caching Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -758,7 +758,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Bluetooth Sharing Is Disabled
+- name: "[macOS 14] CIS - Ensure Bluetooth Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -792,7 +792,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Media Sharing Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Media Sharing Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -845,7 +845,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)
+- name: "[macOS 14] CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -873,7 +873,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)
+- name: "[macOS 14] CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -907,7 +907,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -941,7 +941,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -974,7 +974,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Siri is disabled (MDM required)
+- name: "[macOS 14] CIS - Ensure Siri is disabled (MDM required)"
# platforms: macOS
platform: darwin
description: |
@@ -1024,7 +1024,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure Siri field TypeToSiriEnabled is true (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field TypeToSiriEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1050,7 +1050,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field TypeToSiriEnabled is false (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field TypeToSiriEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1076,7 +1076,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field StatusMenuVisible is true (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field StatusMenuVisible is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1102,7 +1102,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field StatusMenuVisible is false (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field StatusMenuVisible is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1128,7 +1128,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field VoiceTriggerUserEnabled is true (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field VoiceTriggerUserEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1154,7 +1154,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field VoiceTriggerUserEnabled is false (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field VoiceTriggerUserEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1180,7 +1180,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field LockscreenEnabled is true (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field LockscreenEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1206,7 +1206,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field LockscreenEnabled is false (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Siri field LockscreenEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1232,7 +1232,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Enabled
+- name: "[macOS 14] CIS - Ensure Location Services Is Enabled"
# platforms: macOS
platform: darwin
description: Checks that Location Services option is enabled.
@@ -1250,7 +1250,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
+- name: "[macOS 14] CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled"
# platforms: macOS
platform: darwin
description: This setting provides the user an understanding of the current status of Location Services and which applications are using it.
@@ -1270,7 +1270,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1292,7 +1292,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1356,7 +1356,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Ensure Limit Ad Tracking Is Enabled.
@@ -1387,7 +1387,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure an Administrator Password Is Required to Access System-Wide Preferences (Fleetd required)
+- name: "[macOS 14] CIS - Ensure an Administrator Password Is Required to Access System-Wide Preferences (Fleetd required)"
# platforms: macOS
platform: darwin
description: Checks that an Administrator Password Is Required to Access System-Wide Preferences
@@ -1403,7 +1403,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Screen Saver Corners Are Secure (FDA Required)
+- name: "[macOS 14] CIS - Ensure Screen Saver Corners Are Secure (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1436,7 +1436,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)
+- name: "[macOS 14] CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1470,7 +1470,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)
+- name: "[macOS 14] CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1504,7 +1504,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1533,7 +1533,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure sleep and display sleep is enabled on Apple Silicon devices (Fleetd required)
+- name: "[macOS 14] CIS - Ensure sleep and display sleep is enabled on Apple Silicon devices (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -1583,7 +1583,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: getvictor
-- name: CIS - Ensure Wake for Network Access Is Disabled (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure Wake for Network Access Is Disabled (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1611,7 +1611,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)
+- name: "[macOS 14] CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1684,7 +1684,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.
@@ -1729,7 +1729,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Gatekeeper Is Enabled
+- name: "[macOS 14] CIS - Ensure Gatekeeper Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -1747,7 +1747,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Sending Diagnostic and Usage Data to Apple Is Disabled.
@@ -1807,7 +1807,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop- down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
@@ -1838,7 +1838,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure a Custom Message for the Login Screen Is Enabled
+- name: "[macOS 14] CIS - Ensure a Custom Message for the Login Screen Is Enabled"
# platforms: macOS
platform: darwin
description: An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored
@@ -1855,7 +1855,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure FileVault Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure FileVault Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that FileVault Is Enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it.
@@ -1894,7 +1894,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks Login Window Displays as Name and Password Is Enabled.
@@ -1925,7 +1925,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Show Password Hints Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Show Password Hints Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks Show Password Hints Is Disabled.
@@ -1956,7 +1956,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Users' Accounts Do Not Have a Password Hint (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure Users' Accounts Do Not Have a Password Hint (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1975,7 +1975,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Guest Account Is Disabled
+- name: "[macOS 14] CIS - Ensure Guest Account Is Disabled"
# platforms: macOS
platform: darwin
description: Checks that Guest Account Is Disabled.
@@ -1994,7 +1994,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Guest Access to Shared Folders Is Disabled
+- name: "[macOS 14] CIS - Ensure Guest Access to Shared Folders Is Disabled"
# platforms: macOS
platform: darwin
description: Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network
@@ -2013,7 +2013,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Automatic Login Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Automatic Login Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2050,7 +2050,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure On-Device Dictation Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure On-Device Dictation Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2076,7 +2076,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-2-18.1, NEEDS_TESTING
# contributors: DefensiveDepth
-- name: CIS - Ensure Security Auditing Is Enabled
+- name: "[macOS 14] CIS - Ensure Security Auditing Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2104,7 +2104,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements
+- name: "[macOS 14] CIS - Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements"
# platforms: macOS
platform: darwin
description: |
@@ -2156,7 +2156,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size
+- name: "[macOS 14] CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size"
# platforms: macOS
platform: darwin
description: |
@@ -2183,7 +2183,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Retention Is Enabled
+- name: "[macOS 14] CIS - Ensure Security Auditing Retention Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2209,7 +2209,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Access to Audit Records Is Controlled
+- name: "[macOS 14] CIS - Ensure Access to Audit Records Is Controlled"
# platforms: macOS
platform: darwin
description: |
@@ -2253,7 +2253,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)
+- name: "[macOS 14] CIS - Ensure Firewall Logging Is Enabled and Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2318,7 +2318,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2351,7 +2351,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure HTTP Server Is Disabled
+- name: "[macOS 14] CIS - Ensure HTTP Server Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -2367,7 +2367,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure NFS Server Is Disabled
+- name: "[macOS 14] CIS - Ensure NFS Server Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -2396,7 +2396,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod, getvictor
-- name: CIS - Ensure Home Folders Are Secure
+- name: "[macOS 14] CIS - Ensure Home Folders Are Secure"
# platforms: macOS
platform: darwin
description: |
@@ -2422,7 +2422,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure System Integrity Protection Status (SIP) Is Enabled
+- name: "[macOS 14] CIS - Ensure System Integrity Protection Status (SIP) Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2440,7 +2440,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Apple Mobile File Integrity (AMFI) Is Enabled (fleetd required)
+- name: "[macOS 14] CIS - Ensure Apple Mobile File Integrity (AMFI) Is Enabled (fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2455,7 +2455,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Sealed System Volume (SSV) Is Enabled (fleetd required)
+- name: "[macOS 14] CIS - Ensure Sealed System Volume (SSV) Is Enabled (fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2470,7 +2470,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications
+- name: "[macOS 14] CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications"
# platforms: macOS
platform: darwin
description: |
@@ -2496,7 +2496,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure No World Writable Files Exist in the System Folder
+- name: "[macOS 14] CIS - Ensure No World Writable Files Exist in the System Folder"
# platforms: macOS
platform: darwin
description: |
@@ -2520,7 +2520,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure No World Writable Folders Exist in the Library Folder (Fleetd required)
+- name: "[macOS 14] CIS - Ensure No World Writable Folders Exist in the Library Folder (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2565,7 +2565,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: getvictor
-- name: CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)
+- name: "[macOS 14] CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2583,7 +2583,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Password Minimum Length Is Configured
+- name: "[macOS 14] CIS - Ensure Password Minimum Length Is Configured"
# platforms: macOS
platform: darwin
description: |
@@ -2609,7 +2609,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)
+- name: "[macOS 14] CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2638,7 +2638,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Special Character Is Configured (MDM Required)
+- name: "[macOS 14] CIS - Ensure Complex Password Must Contain Special Character Is Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2664,7 +2664,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Fleetd required)
+- name: "[macOS 14] CIS - Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2678,7 +2678,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Password Age Is Configured (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure Password Age Is Configured (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2700,7 +2700,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure password history is set to at least 24 (MDM required)
+- name: "[macOS 14] CIS - Ensure password history is set to at least 24 (MDM required)"
# platforms: macOS
platform: darwin
description: |
@@ -2730,7 +2730,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure all user storage APFS volumes are encrypted (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure all user storage APFS volumes are encrypted (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2761,7 +2761,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure all user storage CoreStorage volumes are encrypted (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure all user storage CoreStorage volumes are encrypted (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2780,7 +2780,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure the Sudo Timeout Period Is Set to Zero (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure the Sudo Timeout Period Is Set to Zero (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2805,7 +2805,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure a Separate Timestamp Is Enabled for Each User/tty (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure a Separate Timestamp Is Enabled for Each User/tty (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2829,7 +2829,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure the "root" Account Is Disabled (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure the \"root\" Account Is Disabled (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2848,7 +2848,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session (Fleetd Required)
+- name: "[macOS 14] CIS - Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2878,7 +2878,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod, getvictor
-- name: CIS - Ensure a Login Window Banner Exists
+- name: "[macOS 14] CIS - Ensure a Login Window Banner Exists"
# platforms: macOS
platform: darwin
description: |
@@ -2900,7 +2900,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure the Guest Home Folder Does Not Exist
+- name: "[macOS 14] CIS - Ensure the Guest Home Folder Does Not Exist"
# platforms: macOS
platform: darwin
description: |
@@ -2915,7 +2915,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Show All Filename Extensions Setting is Enabled
+- name: "[macOS 14] CIS - Ensure Show All Filename Extensions Setting is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2949,7 +2949,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work, getvictor
-- name: CIS - Ensure Automatic Opening of Safe Files in Safari Is Disabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Automatic Opening of Safe Files in Safari Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2984,7 +2984,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Audit Safari Web Browser History and Remove History Items (organization decision needed)(MDM Required)
+- name: "[macOS 14] CIS - Audit Safari Web Browser History and Remove History Items (organization decision needed)(MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3033,7 +3033,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3062,7 +3062,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3123,7 +3123,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -3151,7 +3151,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: artemist-work
-- name: CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy)
+- name: "[macOS 14] CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -3181,7 +3181,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: artemist-work
-- name: CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required)
+- name: "[macOS 14] CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3212,7 +3212,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Show Full Website Address in Safari Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Show Full Website Address in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3250,7 +3250,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Show Status Bar Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Show Status Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3271,7 +3271,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth
-- name: CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)
+- name: "[macOS 14] CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.10.3.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.10.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.10.3.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.10.3.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.10.4.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.10.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.10.4.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.10.4.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.10.5.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.10.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.10.5.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.10.5.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.11.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.11.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.11.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.11.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.12.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.12.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.12.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.12.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.12.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.12.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.12.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.12.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.12.3.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.12.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.12.3.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.12.3.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.3.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.3.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.3.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.4.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.4.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.4.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.5.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.5.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.5.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.6.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.6.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.6.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.7.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.7.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.7.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.3.8.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.8.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.3.8.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.3.8.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.3.4.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.4.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.3.4.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.3.4.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.6.1.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.1.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.6.1.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.1.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.6.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.6.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.6.4.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.6.4.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.4.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.6.7.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.7.sh
similarity index 92%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.6.7.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.7.sh
index e2563cf423..e62cc4885a 100644
--- a/docs/solutions/cis/macos-14/scripts/CIS_2.6.7.sh
+++ b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.6.7.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
set -eu
sudo security authorizationdb read system.preferences > /tmp/system.preferences.plist
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.7.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.7.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.7.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.7.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.9.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.9.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.9.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.9.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.9.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.9.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.9.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.9.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_2.9.3.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_2.9.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_2.9.3.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_2.9.3.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_3.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_3.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_3.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_3.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_3.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_3.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_3.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_3.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_3.3.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_3.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_3.3.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_3.3.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_3.4.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_3.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_3.4.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_3.4.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_3.5.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_3.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_3.5.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_3.5.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_4.2.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_4.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_4.2.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_4.2.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_4.3.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_4.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_4.3.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_4.3.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.1.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.1.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.1.5.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.1.5.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.5.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.1.6.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.1.6.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.6.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.1.7.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.1.7.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.1.7.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.10.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.10.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.10.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.10.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.4.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.4.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.4.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.5.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.5.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.5.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.6.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.6.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.6.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.7.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.7.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.7.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_5.8.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_5.8.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_5.8.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_5.8.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_6.1.1.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_6.1.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_6.1.1.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_6.1.1.sh
diff --git a/docs/solutions/cis/macos-14/scripts/CIS_6.3.6.sh b/docs/solutions/cis/macos-14/scripts/macos14-CIS_6.3.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-14/scripts/CIS_6.3.6.sh
rename to docs/solutions/cis/macos-14/scripts/macos14-CIS_6.3.6.sh
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/1.3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.3.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/1.3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-1.3.mobileconfig
index a2bd6671ec..0733aa1665 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/1.3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Download New Updates When Available Is Enabled
+ [macOS 15] Ensure Download New Updates When Available Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.3
+ com.fleetdm.macos15.cis-1.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/1.4.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.4.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/1.4.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-1.4.mobileconfig
index bee74453b5..c2f89cbbda 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/1.4.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.4.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install of macOS Updates Is Enabled
+ [macOS 15] Ensure Install of macOS Updates Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.4
+ com.fleetdm.macos15.cis-1.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/1.5.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.5.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-13/configuration-profiles/1.5.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-1.5.mobileconfig
index 416b7a0d85..2fc3b50d75 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/1.5.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Install Application Updates from the App Store Is Enabled
+ [macOS 15] Ensure Install Application Updates from the App Store Is Enabled
PayloadIdentifier
- com.fleetdm.cis-1.5
+ com.fleetdm.macos15.cis-1.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/1.7.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.7.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-15/configuration-profiles/1.7.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-1.7.mobileconfig
index 1dcca5b3b0..a780d7fbf3 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/1.7.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-1.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Software Update Deferment Is Less Than or Equal to 30 Days
+ [macOS 15] Ensure Software Update Deferment Is Less Than or Equal to 30 Days
PayloadIdentifier
- com.zwass.cis-1.7
+ macos15.com.zwass.cis-1.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.1-enable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.1-enable.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.1.1.1-enable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.1-enable.mobileconfig
index 9a8bc0992f..e7e220cbb9 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure iCloud Keychain is enabled
+ [macOS 15] Ensure iCloud Keychain is enabled
PayloadIdentifier
- com.fleetdm.cis-2.1.1.1-enable
+ com.fleetdm.macos15.cis-2.1.1.1-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.2-disable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.2-disable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.1.1.2-disable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.2-disable.mobileconfig
index f701b8fa75..3a2e72a86e 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.1.1.2-disable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.2-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Disable iCloud Drive storage solution usage
+ [macOS 15] Disable iCloud Drive storage solution usage
PayloadIdentifier
- com.fleetdm.cis-2.1.1.2-disable
+ com.fleetdm.macos15.cis-2.1.1.2-disable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.2-enable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.2-enable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.1.1.2-enable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.2-enable.mobileconfig
index 50d8788d77..ed7ff30935 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.1.1.2-enable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.2-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Enable iCloud Drive storage solution usage
+ [macOS 15] Enable iCloud Drive storage solution usage
PayloadIdentifier
- com.fleetdm.cis-2.1.1.2-enable
+ com.fleetdm.macos15.cis-2.1.1.2-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.3.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.1.1.3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.3.mobileconfig
index a210df0a09..30d1caf7ed 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.1.1.3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.1.1.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure iCloud Drive Document and Desktop Sync Is Disabled
+ [macOS 15] Ensure iCloud Drive Document and Desktop Sync Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.1.1.3
+ com.fleetdm.macos15.cis-2.1.1.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.10.3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.10.3.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.10.3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.10.3.mobileconfig
index c9ecbd26d5..ff9b05056d 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.10.3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.10.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure a Custom Message for the Login Screen Is Enabled
+ [macOS 15] Ensure a Custom Message for the Login Screen Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.10.3
+ com.fleetdm.macos15.cis-2.10.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.12.3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.12.3.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.12.3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.12.3.mobileconfig
index 217b1d5ebe..5ba01c2e1c 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.12.3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.12.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Automatic Login Is Disabled
+ [macOS 15] Ensure Automatic Login Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.12.3
+ com.fleetdm.macos15.cis-2.12.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.3.1.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.1.1.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.3.1.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.1.1.mobileconfig
index 5453a36d7e..9a6f8741ca 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.3.1.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.1.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure AirDrop Is Disabled
+ [macOS 15] Ensure AirDrop Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.1.1
+ com.fleetdm.macos15.cis-2.3.1.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.3.1.2.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.1.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.3.1.2.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.1.2.mobileconfig
index 707f9c26c6..0143c585b5 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.3.1.2.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.1.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure AirPlay Receiver Is Disabled
+ [macOS 15] Ensure AirPlay Receiver Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.1.2
+ com.fleetdm.macos15.cis-2.3.1.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.3.2.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.2.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.3.2.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.2.1.mobileconfig
index f299a44c1f..8223753d18 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.3.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Set Time and Date Automatically Is Enabled
+ [macOS 15] Ensure Set Time and Date Automatically Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.3.2.1
+ com.fleetdm.macos15.cis-2.3.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/2.3.3.9.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.3.9.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/2.3.3.9.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.3.9.mobileconfig
index 7c5eb6352e..a25a855b66 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/2.3.3.9.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.3.3.9.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Content Caching Is Disabled
+ [macOS 15] Ensure Content Caching Is Disabled
PayloadIdentifier
- com.fleetdm.cis-2.3.3.9
+ com.fleetdm.macos15.cis-2.3.3.9
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.4.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.4.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.4.1.mobileconfig
index 528cd219b6..c712ed2a8c 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.4.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Wi-Fi status in Menu Bar Is Enabled
+ [macOS 15] Ensure Show Wi-Fi status in Menu Bar Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.4.1
+ com.fleetdm.macos15.cis-2.4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.4.2.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.4.2.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.4.2.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.4.2.mobileconfig
index 0d0349d040..dc0c7f5790 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.4.2.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.4.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Bluetooth Status in Menu Bar Is Enabled
+ [macOS 15] Ensure Show Bluetooth Status in Menu Bar Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.4.2
+ com.fleetdm.macos15.cis-2.4.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.5.1-disable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.5.1-disable.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.5.1-disable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.5.1-disable.mobileconfig
index cf61d53acb..1809976c1e 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.5.1-disable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.5.1-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Disable Siri
+ [macOS 15] Disable Siri
PayloadIdentifier
- com.fleetdm.cis-2.5.1-disable
+ com.fleetdm.macos15.cis-2.5.1-disable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.5.1-enable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.5.1-enable.mobileconfig
similarity index 91%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.5.1-enable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.5.1-enable.mobileconfig
index 5bac3db11a..d1d4f25e9e 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.5.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.5.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Enable Siri
+ [macOS 15] Enable Siri
PayloadIdentifier
- com.fleetdm.cis-2.5.1-enable
+ com.fleetdm.macos15.cis-2.5.1-enable
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part1.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part1.mobileconfig
index c57d32092c..569b160927 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)
+ [macOS 15] Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 1)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part1
+ com.fleetdm.macos15.cis-2.6.2-part1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part2.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part2.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part2.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part2.mobileconfig
index 363a447e55..aef1896454 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part2.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)
+ [macOS 15] Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 2)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part2
+ com.fleetdm.macos15.cis-2.6.2-part2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part3.mobileconfig
similarity index 86%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part3.mobileconfig
index c0e551443d..fce9b6c0d2 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.6.2-part3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.2-part3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)
+ [macOS 15] Ensure Ensure Sending Diagnostic and Usage Data to Apple Is Disabled(part 3)
PayloadIdentifier
- com.fleetdm.cis-2.6.2-part3
+ com.fleetdm.macos15.cis-2.6.2-part3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.6.3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.3.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.6.3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.3.mobileconfig
index 2bed86338e..ea2d4c64ed 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.6.3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Limit Ad Tracking Is Enabled
+ [macOS 15] Ensure Limit Ad Tracking Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.3
+ com.fleetdm.macos15.cis-2.6.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/2.6.5.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.5.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-15/configuration-profiles/2.6.5.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.5.mobileconfig
index da7247ad2b..ae4a4c3cf4 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/2.6.5.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.6.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure FileVault Is Enabled
+ [macOS 15] Ensure FileVault Is Enabled
PayloadIdentifier
- com.fleetdm.cis-2.6.5
+ com.fleetdm.macos15.cis-2.6.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.8.1-disable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.8.1-disable.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.8.1-disable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.8.1-disable.mobileconfig
index 82816dd0ef..601f6b5036 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.8.1-disable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.8.1-disable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Universal Control is disabled
+ [macOS 15] Ensure Universal Control is disabled
PayloadIdentifier
- com.fleetdm.cis-2.8.1-disabled
+ com.fleetdm.macos15.cis-2.8.1-disabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/2.8.1-enable.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.8.1-enable.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/2.8.1-enable.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-2.8.1-enable.mobileconfig
index 126c98c07c..e15e949bd1 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/2.8.1-enable.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-2.8.1-enable.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Universal Control is enabled
+ [macOS 15] Ensure Universal Control is enabled
PayloadIdentifier
- com.fleetdm.cis-2.8.1-enabled
+ com.fleetdm.macos15.cis-2.8.1-enabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/4.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/4.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-4.1.mobileconfig
index ceecc14821..f01c411e20 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/4.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Bonjour Advertising Services Is Disabled
+ [macOS 15] Ensure Bonjour Advertising Services Is Disabled
PayloadIdentifier
- com.fleetdm.cis-4.1
+ com.fleetdm.macos15.cis-4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/5.2.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/5.2.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.1.mobileconfig
index 224bb96c40..3cbd94aa76 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/5.2.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Account Lockout Threshold Is Configured
+ [macOS 15] Ensure Password Account Lockout Threshold Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.1
+ com.fleetdm.macos15.cis-5.2.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/5.2.2.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/5.2.2.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.2.mobileconfig
index d2b4195a47..a0d2393479 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/5.2.2.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Minimum Length Is Configured
+ [macOS 15] Ensure Password Minimum Length Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.2
+ com.fleetdm.macos15.cis-5.2.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/5.2.3-and-5.2.4.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.3-and-5.2.4.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-13/configuration-profiles/5.2.3-and-5.2.4.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.3-and-5.2.4.mobileconfig
index 6555d780ce..b739c5e85a 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/5.2.3-and-5.2.4.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.3-and-5.2.4.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Require AlphaNumeric characters in password
+ [macOS 15] Require AlphaNumeric characters in password
PayloadIdentifier
- com.fleetdm.cis-5.2.3-and-5.2.4
+ com.fleetdm.macos15.cis-5.2.3-and-5.2.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/5.2.5.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.5.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/5.2.5.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.5.mobileconfig
index 6194054bec..e64d6cbf1e 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/5.2.5.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.5.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Require Special characters in password
+ [macOS 15] Require Special characters in password
PayloadIdentifier
- com.fleetdm.cis-5.2.5
+ com.fleetdm.macos15.cis-5.2.5
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/5.2.7.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.7.mobileconfig
similarity index 90%
rename from docs/solutions/cis/macos-15/configuration-profiles/5.2.7.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.7.mobileconfig
index 9645354659..7f001c4ec5 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/5.2.7.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password Age Is Configured
+ [macOS 15] Ensure Password Age Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.7
+ com.fleetdm.macos15.cis-5.2.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/5.2.8.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.8.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-14/configuration-profiles/5.2.8.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.8.mobileconfig
index a52c57d2cd..2cdb86f41e 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/5.2.8.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-5.2.8.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Password History Is Configured
+ [macOS 15] Ensure Password History Is Configured
PayloadIdentifier
- com.fleetdm.cis-5.2.8
+ com.fleetdm.macos15.cis-5.2.8
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/6.3.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.1.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-14/configuration-profiles/6.3.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.1.mobileconfig
index 10a6bdba7b..1f97c7a175 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/6.3.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Automatic Opening of Safe Files in Safari Is Disabled
+ [macOS 15] Ensure Automatic Opening of Safe Files in Safari Is Disabled
PayloadIdentifier
- com.fleetdm.cis-6.3.1
+ com.fleetdm.macos15.cis-6.3.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/6.3.2.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.2.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/6.3.2.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.2.mobileconfig
index bf7839b4ce..28b4ecfb97 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/6.3.2.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.2.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Audit History and Remove History Items
+ [macOS 15] Audit History and Remove History Items
PayloadIdentifier
- com.fleetdm.cis-6.3.2
+ com.fleetdm.macos15.cis-6.3.2
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/6.3.3.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.3.mobileconfig
similarity index 87%
rename from docs/solutions/cis/macos-14/configuration-profiles/6.3.3.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.3.mobileconfig
index 250550d143..e44aa46507 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/6.3.3.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.3.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
+ [macOS 15] Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.3
+ com.fleetdm.macos15.cis-6.3.3
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-13/configuration-profiles/6.3.4.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.4.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-13/configuration-profiles/6.3.4.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.4.mobileconfig
index 88bde35973..6af083202b 100644
--- a/docs/solutions/cis/macos-13/configuration-profiles/6.3.4.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.4.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Prevent Cross-site Tracking in Safari Is Enabled
+ [macOS 15] Ensure Prevent Cross-site Tracking in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.4
+ com.fleetdm.macos15.cis-6.3.4
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/6.3.7.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.7.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/6.3.7.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.7.mobileconfig
index 9351714af6..2029b1e2e8 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/6.3.7.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.3.7.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Show Full Website Address in Safari Is Enabled
+ [macOS 15] Ensure Show Full Website Address in Safari Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.3.7
+ com.fleetdm.macos15.cis-6.3.7
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-14/configuration-profiles/6.4.1.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.4.1.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-14/configuration-profiles/6.4.1.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-6.4.1.mobileconfig
index 9aca882491..4d9437868a 100644
--- a/docs/solutions/cis/macos-14/configuration-profiles/6.4.1.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-6.4.1.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
test
PayloadDisplayName
- Ensure Secure Keyboard Entry Terminal.app Is Enabled
+ [macOS 15] Ensure Secure Keyboard Entry Terminal.app Is Enabled
PayloadIdentifier
- com.fleetdm.cis-6.4.1
+ com.fleetdm.macos15.cis-6.4.1
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-extensions.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-extensions.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-extensions.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-extensions.mobileconfig
index 618349d2f9..09406db377 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-extensions.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-extensions.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
Disables external Apple Intelligence extensions (e.g. ChatGPT) to prevent data being sent to third-party AI services. CIS macOS 15 benchmark.
PayloadDisplayName
- CIS - Ensure external intelligence extensions is disabled
+ [macOS 15] CIS - Ensure external intelligence extensions is disabled
PayloadIdentifier
- com.fleetdm.cis-apple-intelligence-extensions
+ com.fleetdm.macos15.cis-apple-intelligence-extensions
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-mail.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-mail.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-mail.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-mail.mobileconfig
index 2615e9cb7c..43d0ab8313 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-mail.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-mail.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
Disables Apple Intelligence features in Mail (smart replies, email summarization) to prevent mail content from being processed by AI. CIS macOS 15 benchmark.
PayloadDisplayName
- CIS - Ensure Apple Intelligence in Mail is disabled
+ [macOS 15] CIS - Ensure Apple Intelligence in Mail is disabled
PayloadIdentifier
- com.fleetdm.cis-apple-intelligence-mail
+ com.fleetdm.macos15.cis-apple-intelligence-mail
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-notes.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-notes.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-notes.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-notes.mobileconfig
index 813a577437..8ba2113c43 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-notes.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-notes.mobileconfig
@@ -24,9 +24,9 @@
PayloadDescription
Disables Apple Intelligence features in Notes (transcription, AI summarization) to prevent note content from being processed by AI. CIS macOS 15 benchmark.
PayloadDisplayName
- CIS - Ensure Apple Intelligence in Notes is disabled
+ [macOS 15] CIS - Ensure Apple Intelligence in Notes is disabled
PayloadIdentifier
- com.fleetdm.cis-apple-intelligence-notes
+ com.fleetdm.macos15.cis-apple-intelligence-notes
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-writing-tools.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-writing-tools.mobileconfig
similarity index 88%
rename from docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-writing-tools.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-writing-tools.mobileconfig
index aa123e512c..0cc6421129 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/apple-intelligence-writing-tools.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-apple-intelligence-writing-tools.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
Disables Apple Intelligence writing tools to prevent AI-assisted text composition from processing organizational data. CIS macOS 15 benchmark.
PayloadDisplayName
- CIS - Ensure Apple Intelligence writing tools is disabled
+ [macOS 15] CIS - Ensure Apple Intelligence writing tools is disabled
PayloadIdentifier
- com.fleetdm.cis-apple-intelligence-writing-tools
+ com.fleetdm.macos15.cis-apple-intelligence-writing-tools
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/configuration-profiles/on-device-dictation-enabled.mobileconfig b/docs/solutions/cis/macos-15/configuration-profiles/macos15-on-device-dictation-enabled.mobileconfig
similarity index 89%
rename from docs/solutions/cis/macos-15/configuration-profiles/on-device-dictation-enabled.mobileconfig
rename to docs/solutions/cis/macos-15/configuration-profiles/macos15-on-device-dictation-enabled.mobileconfig
index 933ee01f92..ebcb0c02ac 100644
--- a/docs/solutions/cis/macos-15/configuration-profiles/on-device-dictation-enabled.mobileconfig
+++ b/docs/solutions/cis/macos-15/configuration-profiles/macos15-on-device-dictation-enabled.mobileconfig
@@ -20,9 +20,9 @@
PayloadDescription
Ensures dictation requests are processed on-device only and never sent to external servers.
PayloadDisplayName
- Ensure On-Device Dictation Is Enabled
+ [macOS 15] Ensure On-Device Dictation Is Enabled
PayloadIdentifier
- com.fleetdm.cis-on-device-dictation-enabled
+ com.fleetdm.macos15.cis-on-device-dictation-enabled
PayloadRemovalDisallowed
PayloadScope
diff --git a/docs/solutions/cis/macos-15/policies/cis-policy-queries.yml b/docs/solutions/cis/macos-15/policies/cis-policy-queries.yml
index e719b423a6..933a0fa5be 100644
--- a/docs/solutions/cis/macos-15/policies/cis-policy-queries.yml
+++ b/docs/solutions/cis/macos-15/policies/cis-policy-queries.yml
@@ -2,7 +2,7 @@
# They are preserved for reference and for use by other tooling.
# Affected fields: purpose, tags, contributors, platforms
-- name: CIS - Ensure All Apple-provided Software Is Current (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure All Apple-provided Software Is Current (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -20,7 +20,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Download New Updates When Available Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically download updates.
@@ -43,7 +43,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Install of macOS Updates Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Ensure that macOS updates are installed after they are available from Apple.
@@ -66,7 +66,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Install Application Updates from the App Store Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Ensure that application updates are installed after they are available from Apple.
@@ -89,7 +89,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure XProtect Is Running and Updated
+- name: "[macOS 15] CIS - Ensure XProtect Is Running and Updated"
# platforms: macOS
platform: darwin
description: |
@@ -113,7 +113,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth, getvictor
-- name: CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Install Security Responses and System Files Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -140,7 +140,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)
+- name: "[macOS 15] CIS - Ensure Software Update Deferment Is Less Than or Equal to 30 Days (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -169,7 +169,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure iCloud Drive storage solution is disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -202,7 +202,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure iCloud Drive storage solution is enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -235,7 +235,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)
+- name: "[macOS 15] CIS - Ensure iCloud Keychain is disabled (if your org policy is to disable it) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -269,7 +269,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Keychain is enabled (if your org policy is to enable it) (MDM Required)
+- name: "[macOS 15] CIS - Ensure iCloud Keychain is enabled (if your org policy is to enable it) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -303,7 +303,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure iCloud Drive Document and Desktop Sync Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Automated Document synchronization should be planned and controlled to approved storage.
@@ -331,7 +331,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: zwass
-- name: CIS - Ensure Firewall Is Enabled
+- name: "[macOS 15] CIS - Ensure Firewall Is Enabled"
# platforms: macOS
platform: darwin
description: A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet.
@@ -341,7 +341,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Firewall Stealth Mode Is Enabled
+- name: "[macOS 15] CIS - Ensure Firewall Stealth Mode Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -359,7 +359,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure AirDrop Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure AirDrop Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -389,7 +389,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure AirPlay Receiver Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -425,7 +425,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Set Time and Date Automatically Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Set Time and Date Automatically Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -454,7 +454,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure the Time Service Is Enabled
+- name: "[macOS 15] CIS - Ensure the Time Service Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -468,7 +468,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth
-- name: CIS - Ensure Screen Sharing Is Disabled
+- name: "[macOS 15] CIS - Ensure Screen Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -498,7 +498,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure File Sharing Is Disabled
+- name: "[macOS 15] CIS - Ensure File Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -525,7 +525,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Printer Sharing is Disabled
+- name: "[macOS 15] CIS - Ensure Printer Sharing is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -550,7 +550,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Remote Login Is Disabled
+- name: "[macOS 15] CIS - Ensure Remote Login Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -580,7 +580,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Remote Management is Disabled
+- name: "[macOS 15] CIS - Ensure Remote Management is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -605,7 +605,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Remote Apple Events is Disabled
+- name: "[macOS 15] CIS - Ensure Remote Apple Events is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -633,7 +633,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Internet Sharing Is Disabled
+- name: "[macOS 15] CIS - Ensure Internet Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -658,7 +658,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Content Caching Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Content Caching Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -693,7 +693,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Bluetooth Sharing Is Disabled
+- name: "[macOS 15] CIS - Ensure Bluetooth Sharing Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -726,7 +726,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Media Sharing Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Media Sharing Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -769,7 +769,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
-- name: CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)
+- name: "[macOS 15] CIS - Ensure Backup Automatically is Enabled If Time Machine Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -797,7 +797,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)
+- name: "[macOS 15] CIS - Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -831,7 +831,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -864,7 +864,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -896,7 +896,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Siri is disabled (MDM required)
+- name: "[macOS 15] CIS - Ensure Siri is disabled (MDM required)"
# platforms: macOS
platform: darwin
description: |
@@ -927,7 +927,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure Siri field TypeToSiriEnabled is true (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field TypeToSiriEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -953,7 +953,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field TypeToSiriEnabled is false (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field TypeToSiriEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -979,7 +979,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field StatusMenuVisible is true (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field StatusMenuVisible is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1005,7 +1005,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field StatusMenuVisible is false (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field StatusMenuVisible is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1031,7 +1031,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field VoiceTriggerUserEnabled is true (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field VoiceTriggerUserEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1057,7 +1057,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field VoiceTriggerUserEnabled is false (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field VoiceTriggerUserEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1083,7 +1083,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field LockscreenEnabled is true (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field LockscreenEnabled is true (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1109,7 +1109,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Siri field LockscreenEnabled is false (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Siri field LockscreenEnabled is false (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1135,7 +1135,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Enabled
+- name: "[macOS 15] CIS - Ensure Location Services Is Enabled"
# platforms: macOS
platform: darwin
description: Checks that Location Services option is enabled.
@@ -1153,7 +1153,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled
+- name: "[macOS 15] CIS - Ensure 'Show Location Icon in Control Center when System Services Request Your Location' Is Enabled"
# platforms: macOS
platform: darwin
description: This setting provides the user an understanding of the current status of Location Services and which applications are using it.
@@ -1173,7 +1173,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Location Services Is Disabled to all applications (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1195,7 +1195,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure Location Services Is Enabled for a specific list of applications (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -1259,7 +1259,7 @@
# tags: compliance, CIS, CIS_Level2, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Limit Ad Tracking Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Ensure Limit Ad Tracking Is Enabled.
@@ -1289,7 +1289,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure an Administrator Password Is Required to Access System-Wide Preferences (Fleetd required)
+- name: "[macOS 15] CIS - Ensure an Administrator Password Is Required to Access System-Wide Preferences (Fleetd required)"
# platforms: macOS
platform: darwin
description: Checks that an Administrator Password Is Required to Access System-Wide Preferences
@@ -1305,7 +1305,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Screen Saver Corners Are Secure (FDA Required)
+- name: "[macOS 15] CIS - Ensure Screen Saver Corners Are Secure (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1338,7 +1338,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)
+- name: "[macOS 15] CIS - Ensure Universal Control is enabled (Based on organization's policy) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1371,7 +1371,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)
+- name: "[macOS 15] CIS - Ensure Universal Control is disabled (Based on organization's policy) (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1404,7 +1404,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: sharon-fdm
-- name: CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure Power Nap Is Disabled for Intel Macs (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1433,7 +1433,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure sleep and display sleep is enabled on Apple Silicon devices (Fleetd required)
+- name: "[macOS 15] CIS - Ensure sleep and display sleep is enabled on Apple Silicon devices (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -1483,7 +1483,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: getvictor
-- name: CIS - Ensure Wake for Network Access Is Disabled (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure Wake for Network Access Is Disabled (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1511,7 +1511,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)
+- name: "[macOS 15] CIS - Ensure the OS is not Active When Resuming from Sleep (Fleetd, FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1584,7 +1584,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled.
@@ -1627,7 +1627,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Gatekeeper Is Enabled
+- name: "[macOS 15] CIS - Ensure Gatekeeper Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -1645,7 +1645,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that Sending Diagnostic and Usage Data to Apple Is Disabled.
@@ -1709,7 +1709,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop- down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.
@@ -1739,7 +1739,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure a Custom Message for the Login Screen Is Enabled
+- name: "[macOS 15] CIS - Ensure a Custom Message for the Login Screen Is Enabled"
# platforms: macOS
platform: darwin
description: An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored
@@ -1756,7 +1756,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure FileVault Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure FileVault Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks that FileVault Is Enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it.
@@ -1794,7 +1794,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Login Window Displays as Name and Password Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks Login Window Displays as Name and Password Is Enabled.
@@ -1824,7 +1824,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Show Password Hints Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Show Password Hints Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: Checks Show Password Hints Is Disabled.
@@ -1854,7 +1854,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Users' Accounts Do Not Have a Password Hint (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure Users' Accounts Do Not Have a Password Hint (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1873,7 +1873,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Guest Account Is Disabled
+- name: "[macOS 15] CIS - Ensure Guest Account Is Disabled"
# platforms: macOS
platform: darwin
description: Checks that Guest Account Is Disabled.
@@ -1892,7 +1892,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Guest Access to Shared Folders Is Disabled
+- name: "[macOS 15] CIS - Ensure Guest Access to Shared Folders Is Disabled"
# platforms: macOS
platform: darwin
description: Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network
@@ -1911,7 +1911,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Automatic Login Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Automatic Login Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1947,7 +1947,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure On-Device Dictation Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure On-Device Dictation Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -1972,7 +1972,7 @@
# tags: compliance, CIS, CIS_Level1, CIS-macos-2-18.1, NEEDS_TESTING
# contributors: DefensiveDepth
-- name: CIS - Ensure Security Auditing Is Enabled
+- name: "[macOS 15] CIS - Ensure Security Auditing Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2000,7 +2000,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements
+- name: "[macOS 15] CIS - Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements"
# platforms: macOS
platform: darwin
description: |
@@ -2052,7 +2052,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size
+- name: "[macOS 15] CIS - Ensure install.log Is Retained for 365 or More Days and No Maximum Size"
# platforms: macOS
platform: darwin
description: |
@@ -2079,7 +2079,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Security Auditing Retention Is Enabled
+- name: "[macOS 15] CIS - Ensure Security Auditing Retention Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2105,7 +2105,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Access to Audit Records Is Controlled
+- name: "[macOS 15] CIS - Ensure Access to Audit Records Is Controlled"
# platforms: macOS
platform: darwin
description: |
@@ -2149,7 +2149,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Bonjour Advertising Services Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2181,7 +2181,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure HTTP Server Is Disabled
+- name: "[macOS 15] CIS - Ensure HTTP Server Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -2197,7 +2197,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure NFS Server Is Disabled
+- name: "[macOS 15] CIS - Ensure NFS Server Is Disabled"
# platforms: macOS
platform: darwin
description: |
@@ -2226,7 +2226,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod, getvictor
-- name: CIS - Ensure Home Folders Are Secure
+- name: "[macOS 15] CIS - Ensure Home Folders Are Secure"
# platforms: macOS
platform: darwin
description: |
@@ -2252,7 +2252,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure System Integrity Protection Status (SIP) Is Enabled
+- name: "[macOS 15] CIS - Ensure System Integrity Protection Status (SIP) Is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2270,7 +2270,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Apple Mobile File Integrity (AMFI) Is Enabled (fleetd required)
+- name: "[macOS 15] CIS - Ensure Apple Mobile File Integrity (AMFI) Is Enabled (fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2285,7 +2285,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Sealed System Volume (SSV) Is Enabled (fleetd required)
+- name: "[macOS 15] CIS - Ensure Sealed System Volume (SSV) Is Enabled (fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2300,7 +2300,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications
+- name: "[macOS 15] CIS - Ensure Appropriate Permissions Are Enabled for System Wide Applications"
# platforms: macOS
platform: darwin
description: |
@@ -2326,7 +2326,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure No World Writable Files Exist in the System Folder
+- name: "[macOS 15] CIS - Ensure No World Writable Files Exist in the System Folder"
# platforms: macOS
platform: darwin
description: |
@@ -2350,7 +2350,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure No World Writable Folders Exist in the Library Folder (Fleetd required)
+- name: "[macOS 15] CIS - Ensure No World Writable Folders Exist in the Library Folder (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2395,7 +2395,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: getvictor
-- name: CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)
+- name: "[macOS 15] CIS - Ensure Password Account Lockout Threshold Is Configured (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2413,7 +2413,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Password Minimum Length Is Configured
+- name: "[macOS 15] CIS - Ensure Password Minimum Length Is Configured"
# platforms: macOS
platform: darwin
description: |
@@ -2439,7 +2439,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)
+- name: "[macOS 15] CIS - Ensure Complex Password Must Contain Alphabetic Characters AND Numeric Characters Is Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2467,7 +2467,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Special Character Is Configured (MDM Required)
+- name: "[macOS 15] CIS - Ensure Complex Password Must Contain Special Character Is Configured (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2492,7 +2492,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Fleetd required)
+- name: "[macOS 15] CIS - Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Fleetd required)"
# platforms: macOS
platform: darwin
description: |
@@ -2506,7 +2506,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Password Age Is Configured (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure Password Age Is Configured (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2528,7 +2528,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure password history is set to at least 24 (MDM required)
+- name: "[macOS 15] CIS - Ensure password history is set to at least 24 (MDM required)"
# platforms: macOS
platform: darwin
description: |
@@ -2558,7 +2558,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm, getvictor
-- name: CIS - Ensure all user storage APFS volumes are encrypted (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure all user storage APFS volumes are encrypted (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2589,7 +2589,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure all user storage CoreStorage volumes are encrypted (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure all user storage CoreStorage volumes are encrypted (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2608,7 +2608,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure the Sudo Timeout Period Is Set to Zero (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure the Sudo Timeout Period Is Set to Zero (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2633,7 +2633,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure a Separate Timestamp Is Enabled for Each User/tty (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure a Separate Timestamp Is Enabled for Each User/tty (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2657,7 +2657,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure the "root" Account Is Disabled (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure the \"root\" Account Is Disabled (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2676,7 +2676,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2706,7 +2706,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod, getvictor
-- name: CIS - Ensure a Login Window Banner Exists
+- name: "[macOS 15] CIS - Ensure a Login Window Banner Exists"
# platforms: macOS
platform: darwin
description: |
@@ -2728,7 +2728,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: lucasmrod
-- name: CIS - Ensure the Guest Home Folder Does Not Exist
+- name: "[macOS 15] CIS - Ensure the Guest Home Folder Does Not Exist"
# platforms: macOS
platform: darwin
description: |
@@ -2743,7 +2743,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure Show All Filename Extensions Setting is Enabled
+- name: "[macOS 15] CIS - Ensure Show All Filename Extensions Setting is Enabled"
# platforms: macOS
platform: darwin
description: |
@@ -2777,7 +2777,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work, getvictor
-- name: CIS - Ensure Automatic Opening of Safe Files in Safari Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Automatic Opening of Safe Files in Safari Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2811,7 +2811,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Audit Safari Web Browser History and Remove History Items (organization decision needed)(MDM Required)
+- name: "[macOS 15] CIS - Audit Safari Web Browser History and Remove History Items (organization decision needed)(MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2859,7 +2859,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2887,7 +2887,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Prevent Cross-site Tracking in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -2946,7 +2946,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: lucasmrod
-- name: CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure the Hide IP Address in Safari is Enabled (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -2974,7 +2974,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: artemist-work
-- name: CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy)
+- name: "[macOS 15] CIS - Ensure the Hide IP Address in Safari is Disabled (Based on organization's policy)"
# platforms: macOS
platform: darwin
description: |
@@ -3004,7 +3004,7 @@
# tags: compliance, CIS, CIS_Level1, decision-needed
# contributors: artemist-work
-- name: CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required)
+- name: "[macOS 15] CIS - Ensure Advertising Privacy Protection in Safari Is Enabled (FDA Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3035,7 +3035,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure Show Full Website Address in Safari Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Show Full Website Address in Safari Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3072,7 +3072,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Show Status Bar Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Show Status Bar Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3093,7 +3093,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: defensivedepth
-- name: CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Secure Keyboard Entry Terminal.app Is Enabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3124,7 +3124,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure Logging Is Enabled for Sudo (Fleetd Required)
+- name: "[macOS 15] CIS - Ensure Logging Is Enabled for Sudo (Fleetd Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3161,7 +3161,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
-- name: CIS - Ensure External Intelligence Extensions Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure External Intelligence Extensions Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3197,7 +3197,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
-- name: CIS - Ensure Writing Tools Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Writing Tools Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3231,7 +3231,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
-- name: CIS - Ensure Mail Summarization Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Mail Summarization Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
@@ -3263,7 +3263,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: getvictor
-- name: CIS - Ensure Notes Summarization Is Disabled (MDM Required)
+- name: "[macOS 15] CIS - Ensure Notes Summarization Is Disabled (MDM Required)"
# platforms: macOS
platform: darwin
description: |
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.10.3.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.10.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.10.3.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.10.3.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.10.4.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.10.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.10.4.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.10.4.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.10.5.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.10.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.10.5.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.10.5.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.11.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.11.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.11.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.11.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.12.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.12.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.12.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.12.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.12.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.12.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.12.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.12.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.12.3.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.12.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.12.3.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.12.3.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.3.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.3.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.3.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.4.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.4.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.4.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.5.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.5.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.5.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.6.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.6.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.6.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.7.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.7.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.7.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.3.8.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.8.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.3.8.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.3.8.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.3.4.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.4.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.3.4.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.3.4.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.6.1.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.1.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.6.1.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.1.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.6.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.6.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.6.4.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.6.4.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.4.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.6.7.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.7.sh
similarity index 92%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.6.7.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.7.sh
index e2563cf423..e62cc4885a 100644
--- a/docs/solutions/cis/macos-15/scripts/CIS_2.6.7.sh
+++ b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.6.7.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
set -eu
sudo security authorizationdb read system.preferences > /tmp/system.preferences.plist
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.7.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.7.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.7.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.7.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.9.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.9.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.9.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.9.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.9.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.9.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.9.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.9.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_2.9.3.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_2.9.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_2.9.3.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_2.9.3.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_3.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_3.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_3.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_3.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_3.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_3.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_3.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_3.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_3.3.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_3.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_3.3.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_3.3.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_3.4.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_3.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_3.4.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_3.4.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_3.5.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_3.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_3.5.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_3.5.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_4.2.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_4.2.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_4.2.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_4.2.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_4.3.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_4.3.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_4.3.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_4.3.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.1.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.1.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.1.5.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.1.5.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.5.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.1.6.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.1.6.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.6.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.1.7.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.1.7.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.1.7.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.10.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.10.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.10.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.10.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.4.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.4.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.4.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.4.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.5.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.5.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.5.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.5.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.6.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.6.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.6.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.7.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.7.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.7.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.7.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_5.8.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_5.8.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_5.8.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_5.8.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_6.1.1.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_6.1.1.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_6.1.1.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_6.1.1.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_6.3.6.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_6.3.6.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_6.3.6.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_6.3.6.sh
diff --git a/docs/solutions/cis/macos-15/scripts/CIS_sudo_logging.sh b/docs/solutions/cis/macos-15/scripts/macos15-CIS_sudo_logging.sh
similarity index 100%
rename from docs/solutions/cis/macos-15/scripts/CIS_sudo_logging.sh
rename to docs/solutions/cis/macos-15/scripts/macos15-CIS_sudo_logging.sh
diff --git a/docs/solutions/cis/win-10/configuration-profiles/audit-policies.xml b/docs/solutions/cis/win-10/configuration-profiles/win10-audit-policies.xml
similarity index 100%
rename from docs/solutions/cis/win-10/configuration-profiles/audit-policies.xml
rename to docs/solutions/cis/win-10/configuration-profiles/win10-audit-policies.xml
diff --git a/docs/solutions/cis/win-10/configuration-profiles/firewall.xml b/docs/solutions/cis/win-10/configuration-profiles/win10-firewall.xml
similarity index 100%
rename from docs/solutions/cis/win-10/configuration-profiles/firewall.xml
rename to docs/solutions/cis/win-10/configuration-profiles/win10-firewall.xml
diff --git a/docs/solutions/cis/win-10/configuration-profiles/local-security-options.xml b/docs/solutions/cis/win-10/configuration-profiles/win10-local-security-options.xml
similarity index 100%
rename from docs/solutions/cis/win-10/configuration-profiles/local-security-options.xml
rename to docs/solutions/cis/win-10/configuration-profiles/win10-local-security-options.xml
diff --git a/docs/solutions/cis/win-10/configuration-profiles/user-rights-assignment.xml b/docs/solutions/cis/win-10/configuration-profiles/win10-user-rights-assignment.xml
similarity index 100%
rename from docs/solutions/cis/win-10/configuration-profiles/user-rights-assignment.xml
rename to docs/solutions/cis/win-10/configuration-profiles/win10-user-rights-assignment.xml
diff --git a/docs/solutions/cis/win-10/policies/cis-policy-queries.yml b/docs/solutions/cis/win-10/policies/cis-policy-queries.yml
index 441ebcbdf5..46ac2fad84 100644
--- a/docs/solutions/cis/win-10/policies/cis-policy-queries.yml
+++ b/docs/solutions/cis/win-10/policies/cis-policy-queries.yml
@@ -2,7 +2,7 @@
# They are preserved for reference and for use by other tooling.
# Affected fields: purpose, tags, contributors, platforms
-- name: CIS - Ensure 'Enforce password history' is set to '24' or more passwords
+- name: "[Win 10] CIS - Ensure 'Enforce password history' is set to '24' or more passwords"
# platforms: win10
platform: windows
description: |
@@ -17,7 +17,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
+- name: "[Win 10] CIS - Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
# platforms: win10
platform: windows
description: |
@@ -32,7 +32,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Minimum password age' is set to '1 or more days'
+- name: "[Win 10] CIS - Ensure 'Minimum password age' is set to '1 or more days'"
# platforms: win10
platform: windows
description: |
@@ -48,7 +48,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Minimum password length' is set to '14 or more characters'
+- name: "[Win 10] CIS - Ensure 'Minimum password length' is set to '14 or more characters'"
# platforms: win10
platform: windows
description: |
@@ -63,7 +63,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Password must meet complexity requirements' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -80,7 +80,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Relax minimum password length limits' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Relax minimum password length limits' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -95,7 +95,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -113,7 +113,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Account lockout duration' is set to '15 or more minute(s)'
+- name: "[Win 10] CIS - Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
# platforms: win10
platform: windows
description: |
@@ -131,7 +131,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
+- name: "[Win 10] CIS - Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
# platforms: win10
platform: windows
description: |
@@ -148,7 +148,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
+- name: "[Win 10] CIS - Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
# platforms: win10
platform: windows
description: |
@@ -166,7 +166,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
+- name: "[Win 10] CIS - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'"
# platforms: win10
platform: windows
description: |
@@ -183,7 +183,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
+- name: "[Win 10] CIS - Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'"
# platforms: win10
platform: windows
description: |
@@ -200,7 +200,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: sharon-fdm
-- name: CIS - Ensure 'Act as part of the operating system' is set to 'No One'
+- name: "[Win 10] CIS - Ensure 'Act as part of the operating system' is set to 'No One'"
# platforms: win10
platform: windows
description: |
@@ -217,7 +217,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
+- name: "[Win 10] CIS - Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'"
# platforms: win10
platform: windows
description: |
@@ -233,7 +233,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Allow log on locally' is set to 'Administrators, Users'
+- name: "[Win 10] CIS - Ensure 'Allow log on locally' is set to 'Administrators, Users'"
# platforms: win10
platform: windows
description: |
@@ -256,7 +256,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: sharon-fdm
-- name: CIS - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
+- name: "[Win 10] CIS - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'"
# platforms: win10
platform: windows
description: |
@@ -275,7 +275,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Back up files and directories' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Back up files and directories' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -292,7 +292,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: sharon-fdm
-- name: CIS - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
+- name: "[Win 10] CIS - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'"
# platforms: win10
platform: windows
description: |
@@ -310,7 +310,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
+- name: "[Win 10] CIS - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'"
# platforms: win10
platform: windows
description: |
@@ -325,7 +325,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Create a pagefile' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Create a pagefile' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -340,7 +340,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Create a token object' is set to an empty list
+- name: "[Win 10] CIS - Ensure 'Create a token object' is set to an empty list"
# platforms: win10
platform: windows
description: |
@@ -355,7 +355,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
+- name: "[Win 10] CIS - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
# platforms: win10
platform: windows
description: |
@@ -370,7 +370,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Create permanent shared objects' is set to an empty list
+- name: "[Win 10] CIS - Ensure 'Create permanent shared objects' is set to an empty list"
# platforms: win10
platform: windows
description: |
@@ -387,7 +387,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Create symbolic links' is set to 'Administrators or NT VIRTUAL MACHINE\Virtual Machines'
+- name: "[Win 10] CIS - Ensure 'Create symbolic links' is set to 'Administrators or NT VIRTUAL MACHINE\\Virtual Machines'"
# platforms: win10
platform: windows
description: |
@@ -412,7 +412,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Debug programs' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Debug programs' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -430,7 +430,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Deny access to this computer from the network' includes 'Guest'
+- name: "[Win 10] CIS - Ensure 'Deny access to this computer from the network' includes 'Guest'"
# platforms: win10
platform: windows
description: |
@@ -449,7 +449,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Deny log on as a batch job' includes 'Guests'
+- name: "[Win 10] CIS - Ensure 'Deny log on as a batch job' includes 'Guests'"
# platforms: win10
platform: windows
description: |
@@ -465,7 +465,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Deny log on as a service' includes 'Guests'
+- name: "[Win 10] CIS - Ensure 'Deny log on as a service' includes 'Guests'"
# platforms: win10
platform: windows
description: |
@@ -481,7 +481,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Deny log on locally' includes 'Guest'
+- name: "[Win 10] CIS - Ensure 'Deny log on locally' includes 'Guest'"
# platforms: win10
platform: windows
description: |
@@ -498,7 +498,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Deny log on through Remote Desktop Services' includes 'Guest'
+- name: "[Win 10] CIS - Ensure 'Deny log on through Remote Desktop Services' includes 'Guest'"
# platforms: win10
platform: windows
description: |
@@ -513,7 +513,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Enable computer and user accounts to be trusted for delegation' is set to an empty list
+- name: "[Win 10] CIS - Ensure 'Enable computer and user accounts to be trusted for delegation' is set to an empty list"
# platforms: win10
platform: windows
description: |
@@ -528,7 +528,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Force shutdown from a remote system' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Force shutdown from a remote system' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -547,7 +547,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
+- name: "[Win 10] CIS - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'"
# platforms: win10
platform: windows
description: |
@@ -562,7 +562,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
+- name: "[Win 10] CIS - Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
# platforms: win10
platform: windows
description: |
@@ -581,7 +581,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'
+- name: "[Win 10] CIS - Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\\Window Manager Group'"
# platforms: win10
platform: windows
description: |
@@ -598,7 +598,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Load and unload device drivers' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Load and unload device drivers' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -616,7 +616,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Lock pages in memory' is set to an empty list
+- name: "[Win 10] CIS - Ensure 'Lock pages in memory' is set to an empty list"
# platforms: win10
platform: windows
description: |
@@ -631,7 +631,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Log on as a batch job' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Log on as a batch job' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -650,7 +650,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Configure 'Log on as a service'
+- name: "[Win 10] CIS - Configure 'Log on as a service'"
# platforms: win10
platform: windows
description: |
@@ -669,7 +669,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Manage auditing and security log' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Manage auditing and security log' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -684,7 +684,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Modify an object label' is set to an empty list
+- name: "[Win 10] CIS - Ensure 'Modify an object label' is set to an empty list"
# platforms: win10
platform: windows
description: |
@@ -701,7 +701,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Modify firmware environment values' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Modify firmware environment values' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -718,7 +718,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -733,7 +733,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Profile single process' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Profile single process' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -753,7 +753,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
+- name: "[Win 10] CIS - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'"
# platforms: win10
platform: windows
description: |
@@ -770,7 +770,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
+- name: "[Win 10] CIS - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'"
# platforms: win10
platform: windows
description: |
@@ -786,7 +786,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Restore files and directories' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Restore files and directories' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -805,7 +805,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Shut down the system' is set to 'Administrators, Users'
+- name: "[Win 10] CIS - Ensure 'Shut down the system' is set to 'Administrators, Users'"
# platforms: win10
platform: windows
description: |
@@ -821,7 +821,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Take ownership of files or other objects' is set to 'Administrators'
+- name: "[Win 10] CIS - Ensure 'Take ownership of files or other objects' is set to 'Administrators'"
# platforms: win10
platform: windows
description: |
@@ -837,7 +837,7 @@
# tags: compliance, CIS, CIS_Level1, english-support-only
# contributors: marcosd4h
-- name: CIS - Ensure 'Accounts Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
+- name: "[Win 10] CIS - Ensure 'Accounts Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'"
# platforms: win10
platform: windows
description: |
@@ -852,7 +852,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Accounts Guest account status' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Accounts Guest account status' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -867,7 +867,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Accounts Limit local account use of blank passwords to console logon only' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Accounts Limit local account use of blank passwords to console logon only' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -882,7 +882,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Configure 'Accounts Rename administrator account'
+- name: "[Win 10] CIS - Configure 'Accounts Rename administrator account'"
# platforms: win10
platform: windows
description: |
@@ -899,7 +899,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Configure 'Accounts Rename guest account'
+- name: "[Win 10] CIS - Configure 'Accounts Rename guest account'"
# platforms: win10
platform: windows
description: |
@@ -916,7 +916,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -931,7 +931,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Audit Shut down system immediately if unable to log security audits' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Audit Shut down system immediately if unable to log security audits' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -949,7 +949,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Devices Prevent users from installing printer drivers' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Devices Prevent users from installing printer drivers' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -966,7 +966,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -988,7 +988,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Digitally encrypt secure channel data (when possible)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1010,7 +1010,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Digitally sign secure channel data (when possible)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Digitally sign secure channel data (when possible)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1033,7 +1033,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Disable machine account password changes' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Disable machine account password changes' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1059,7 +1059,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Maximum machine account password age' is set to '30 or fewer days, but not 0'
+- name: "[Win 10] CIS - Ensure 'Maximum machine account password age' is set to '30 or fewer days, but not 0'"
# platforms: win10
platform: windows
description: |
@@ -1086,7 +1086,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Require strong (Windows 2000 or later) session key' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Require strong (Windows 2000 or later) session key' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1114,7 +1114,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Interactive logon Do not require CTRL+ALT+DEL' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Interactive logon Do not require CTRL+ALT+DEL' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1129,7 +1129,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Interactive logon Don't display last signed-in' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Interactive logon Don't display last signed-in' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1146,7 +1146,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Interactive logon Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'
+- name: "[Win 10] CIS - Ensure 'Interactive logon Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'"
# platforms: win10
platform: windows
description: |
@@ -1161,7 +1161,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Interactive logon Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
+- name: "[Win 10] CIS - Ensure 'Interactive logon Machine inactivity limit' is set to '900 or fewer second(s), but not 0'"
# platforms: win10
platform: windows
description: |
@@ -1176,7 +1176,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Configure 'Interactive logon Message text for users attempting to log on'
+- name: "[Win 10] CIS - Configure 'Interactive logon Message text for users attempting to log on'"
# platforms: win10
platform: windows
description: |
@@ -1194,7 +1194,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Configure 'Interactive logon Message title for users attempting to log on'
+- name: "[Win 10] CIS - Configure 'Interactive logon Message title for users attempting to log on'"
# platforms: win10
platform: windows
description: |
@@ -1212,7 +1212,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Interactive logon Prompt user to change password before expiration' is set to 'between 5 and 14 days'
+- name: "[Win 10] CIS - Ensure 'Interactive logon Prompt user to change password before expiration' is set to 'between 5 and 14 days'"
# platforms: win10
platform: windows
description: |
@@ -1229,7 +1229,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Interactive logon Smart card removal behavior' is set to 'Lock Workstation' or higher
+- name: "[Win 10] CIS - Ensure 'Interactive logon Smart card removal behavior' is set to 'Lock Workstation' or higher"
# platforms: win10
platform: windows
description: |
@@ -1245,7 +1245,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network client Digitally sign communications (always)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network client Digitally sign communications (always)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1260,7 +1260,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network client Digitally sign communications (if server agrees)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network client Digitally sign communications (if server agrees)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1275,7 +1275,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network client Send unencrypted password to third-party SMB servers' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network client Send unencrypted password to third-party SMB servers' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1290,7 +1290,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network server Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network server Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'"
# platforms: win10
platform: windows
description: |
@@ -1308,7 +1308,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network server Digitally sign communications (always)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network server Digitally sign communications (always)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1325,7 +1325,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network server Digitally sign communications (if client agrees)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network server Digitally sign communications (if client agrees)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1342,7 +1342,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network server Disconnect clients when logon hours expire' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network server Disconnect clients when logon hours expire' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1359,7 +1359,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure that 'Microsoft network server Server SPN target name validation level' is set to 'Accept if provided by client'
+- name: "[Win 10] CIS - Ensure that 'Microsoft network server Server SPN target name validation level' is set to 'Accept if provided by client'"
# platforms: win10
platform: windows
description: |
@@ -1377,7 +1377,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -1394,7 +1394,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1413,7 +1413,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1431,7 +1431,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1448,7 +1448,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -1464,7 +1464,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
+ [Win 10] CIS - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
# platforms: win10
platform: windows
description: |
@@ -1481,7 +1481,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Remotely accessible registry paths' is configured
+ [Win 10] CIS - Ensure 'Network access: Remotely accessible registry paths' is configured
# platforms: win10
platform: windows
description: |
@@ -1501,7 +1501,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured
+ [Win 10] CIS - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured
# platforms: win10
platform: windows
description: |
@@ -1529,7 +1529,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1551,7 +1551,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
+ [Win 10] CIS - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
# platforms: win10
platform: windows
description: |
@@ -1567,7 +1567,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
+ [Win 10] CIS - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
# platforms: win10
platform: windows
description: |
@@ -1585,7 +1585,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
+ [Win 10] CIS - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
# platforms: win10
platform: windows
description: |
@@ -1604,7 +1604,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: rachelelysia
-- name: CIS - Ensure 'Network security Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Network security Allow Local System to use computer identity for NTLM' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1619,7 +1619,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Allow LocalSystem NULL session fallback' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Network security Allow LocalSystem NULL session fallback' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1634,7 +1634,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network Security Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Network Security Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1649,7 +1649,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+- name: "[Win 10] CIS - Ensure 'Network security Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
# platforms: win10
platform: windows
description: |
@@ -1664,7 +1664,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Network security Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1683,7 +1683,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1700,7 +1700,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+- name: "[Win 10] CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'"
# platforms: win10
platform: windows
description: |
@@ -1719,7 +1719,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security LDAP client signing requirements' is set to 'Negotiate signing or higher'
+- name: "[Win 10] CIS - Ensure 'Network security LDAP client signing requirements' is set to 'Negotiate signing or higher'"
# platforms: win10
platform: windows
description: |
@@ -1735,7 +1735,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
+ [Win 10] CIS - Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
# platforms: win10
platform: windows
description: |
@@ -1750,7 +1750,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher
+ [Win 10] CIS - Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher
# platforms: win10
platform: windows
description: |
@@ -1767,7 +1767,7 @@
# purpose: Informational
# tags: compliance, CIS, CIS_Level1
-- name: CIS - Ensure 'System cryptography Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used or higher'
+- name: "[Win 10] CIS - Ensure 'System cryptography Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used or higher'"
# platforms: win10
platform: windows
description: |
@@ -1782,7 +1782,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'System objects Require case insensitivity for non Windows subsystems' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'System objects Require case insensitivity for non Windows subsystems' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1804,7 +1804,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -1824,7 +1824,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1840,7 +1840,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
+ [Win 10] CIS - Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
# platforms: win10
platform: windows
description: |
@@ -1856,7 +1856,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
+ [Win 10] CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
# platforms: win10
platform: windows
description: |
@@ -1872,7 +1872,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1888,7 +1888,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1906,7 +1906,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1922,7 +1922,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1938,7 +1938,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -1957,7 +1957,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: rachelelysia
-- name: CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1973,7 +1973,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -1989,7 +1989,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2009,7 +2009,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2024,7 +2024,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2040,7 +2040,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2062,7 +2062,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2081,7 +2081,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2097,7 +2097,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2113,7 +2113,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2133,7 +2133,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2153,7 +2153,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2169,7 +2169,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2189,7 +2189,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2205,7 +2205,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2221,7 +2221,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2237,7 +2237,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2253,7 +2253,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2269,7 +2269,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2285,7 +2285,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2301,7 +2301,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2317,7 +2317,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2333,7 +2333,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2348,7 +2348,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2365,7 +2365,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2380,7 +2380,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2395,7 +2395,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Server (LanmanServer)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Server (LanmanServer)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2410,7 +2410,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2429,7 +2429,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2448,7 +2448,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2467,7 +2467,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2483,7 +2483,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2498,7 +2498,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2517,7 +2517,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2534,7 +2534,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2551,7 +2551,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2570,7 +2570,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2585,7 +2585,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2600,7 +2600,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2615,7 +2615,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Remote Management (WSManagement) (WinRM)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Windows Remote Management (WSManagement) (WinRM)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2632,7 +2632,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 10] CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win10
platform: windows
description: |
@@ -2651,7 +2651,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2666,7 +2666,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2681,7 +2681,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2696,7 +2696,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -2712,7 +2712,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
# platforms: win10
platform: windows
description: |
@@ -2728,7 +2728,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
# platforms: win10
platform: windows
description: |
@@ -2744,7 +2744,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
# platforms: win10
platform: windows
description: |
@@ -2760,7 +2760,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
# platforms: win10
platform: windows
description: |
@@ -2776,7 +2776,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
# platforms: win10
platform: windows
description: |
@@ -2792,7 +2792,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
# platforms: win10
platform: windows
description: |
@@ -2808,7 +2808,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+ [Win 10] CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
# platforms: win10
platform: windows
description: |
@@ -2824,7 +2824,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
# platforms: win10
platform: windows
description: |
@@ -2840,7 +2840,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
# platforms: win10
platform: windows
description: |
@@ -2856,7 +2856,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
# platforms: win10
platform: windows
description: |
@@ -2872,7 +2872,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
# platforms: win10
platform: windows
description: |
@@ -2888,7 +2888,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
# platforms: win10
platform: windows
description: |
@@ -2904,7 +2904,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
# platforms: win10
platform: windows
description: |
@@ -2920,7 +2920,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
+ [Win 10] CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
# platforms: win10
platform: windows
description: |
@@ -2936,7 +2936,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
# platforms: win10
platform: windows
description: |
@@ -2952,7 +2952,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
# platforms: win10
platform: windows
description: |
@@ -2968,7 +2968,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
# platforms: win10
platform: windows
description: |
@@ -2984,7 +2984,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
# platforms: win10
platform: windows
description: |
@@ -3000,7 +3000,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
# platforms: win10
platform: windows
description: |
@@ -3016,7 +3016,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
# platforms: win10
platform: windows
description: |
@@ -3032,7 +3032,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
# platforms: win10
platform: windows
description: |
@@ -3048,7 +3048,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
# platforms: win10
platform: windows
description: |
@@ -3066,7 +3066,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
+ [Win 10] CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
# platforms: win10
platform: windows
description: |
@@ -3081,7 +3081,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: RachelElysia
-- name: CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3099,7 +3099,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit Application Group Management' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Application Group Management' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3117,7 +3117,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit Security Group Management' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Security Group Management' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3135,7 +3135,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit PNP Activity' is set to 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit PNP Activity' is set to 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3154,7 +3154,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit PNP Activity' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit PNP Activity' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3174,7 +3174,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit Process Creation' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Process Creation' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3193,7 +3193,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Audit Account Lockout' is set to include 'Failure'
+ [Win 10] CIS - Ensure 'Audit Account Lockout' is set to include 'Failure'
# platforms: win10
platform: windows
description: |
@@ -3209,7 +3209,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Group Membership' is set to include 'Success'
+ [Win 10] CIS - Ensure 'Audit Group Membership' is set to include 'Success'
# platforms: win10
platform: windows
description: |
@@ -3224,7 +3224,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Logoff' is set to include 'Success'
+ [Win 10] CIS - Ensure 'Audit Logoff' is set to include 'Success'
# platforms: win10
platform: windows
description: |
@@ -3241,7 +3241,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Logon' is set to 'Success and Failure'
+ [Win 10] CIS - Ensure 'Audit Logon' is set to 'Success and Failure'
# platforms: win10
platform: windows
description: |
@@ -3260,7 +3260,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
+ [Win 10] CIS - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
# platforms: win10
platform: windows
description: |
@@ -3285,7 +3285,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Special Logon' is set to include 'Success'
+ [Win 10] CIS - Ensure 'Audit Special Logon' is set to include 'Success'
# platforms: win10
platform: windows
description: |
@@ -3300,7 +3300,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Audit Detailed File Share' is set to include 'Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Detailed File Share' is set to include 'Failure'"
# platforms: win10
platform: windows
description: |
@@ -3318,7 +3318,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit File Share' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit File Share' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3335,7 +3335,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3362,7 +3362,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Removable Storage' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3379,7 +3379,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Audit Policy Change' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Audit Policy Change' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3405,7 +3405,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3433,7 +3433,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3455,7 +3455,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3486,7 +3486,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3520,7 +3520,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3548,7 +3548,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Other System Events' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Other System Events' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3578,7 +3578,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Security State Change' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Security State Change' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3600,7 +3600,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Security System Extension' is set to include 'Success'
+- name: "[Win 10] CIS - Ensure 'Audit Security System Extension' is set to include 'Success'"
# platforms: win10
platform: windows
description: |
@@ -3622,7 +3622,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit System Integrity' is set to 'Success and Failure'
+- name: "[Win 10] CIS - Ensure 'Audit System Integrity' is set to 'Success and Failure'"
# platforms: win10
platform: windows
description: |
@@ -3649,7 +3649,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Other Policy Change Events' is set to include 'Failure'
+- name: "[Win 10] CIS - Ensure 'Audit Other Policy Change Events' is set to include 'Failure'"
# platforms: win10
platform: windows
description: |
@@ -3677,7 +3677,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3693,7 +3693,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3709,7 +3709,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -3725,7 +3725,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Online Tips' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Online Tips' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -3741,7 +3741,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3761,7 +3761,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
+ [Win 10] CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
# platforms: win10
platform: windows
description: |
@@ -3777,7 +3777,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -3793,7 +3793,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable Certificate Padding' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable Certificate Padding' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3812,7 +3812,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3828,7 +3828,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
+ [Win 10] CIS - Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
# platforms: win10
platform: windows
description: |
@@ -3849,7 +3849,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'WDigest Authentication' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'WDigest Authentication' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -3867,7 +3867,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -3883,7 +3883,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3899,7 +3899,7 @@
# contributors: defensivedepth
- name: >
- CIS - Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+ [Win 10] CIS - Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
# platforms: win10
platform: windows
description: |
@@ -3915,7 +3915,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
+ [Win 10] CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
# platforms: win10
platform: windows
description: |
@@ -3931,7 +3931,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3947,7 +3947,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -3963,7 +3963,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'LSA Protection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'LSA Protection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3979,7 +3979,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -3995,7 +3995,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4011,7 +4011,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4032,7 +4032,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
+ [Win 10] CIS - Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
# platforms: win10
platform: windows
description: |
@@ -4048,7 +4048,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+ [Win 10] CIS - Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
# platforms: win10
platform: windows
description: |
@@ -4064,7 +4064,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+ [Win 10] CIS - Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
# platforms: win10
platform: windows
description: |
@@ -4080,7 +4080,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
+ [Win 10] CIS - Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
# platforms: win10
platform: windows
description: |
@@ -4096,7 +4096,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4112,7 +4112,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable Font Providers' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable Font Providers' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4128,7 +4128,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
+ [Win 10] CIS - Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
# platforms: win10
platform: windows
description: |
@@ -4144,7 +4144,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4160,7 +4160,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4176,7 +4176,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4192,7 +4192,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4208,7 +4208,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4224,7 +4224,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4240,7 +4240,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4256,7 +4256,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication", "Require Integrity", and “Require Privacy” set for all NETLOGON and SYSVOL shares'
+ [Win 10] CIS - Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication", "Require Integrity", and “Require Privacy” set for all NETLOGON and SYSVOL shares'
# platforms: win10
platform: windows
description: |
@@ -4277,7 +4277,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4292,7 +4292,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
+ [Win 10] CIS - Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
# platforms: win10
platform: windows
description: |
@@ -4307,7 +4307,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
+ [Win 10] CIS - Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
# platforms: win10
platform: windows
description: |
@@ -4322,7 +4322,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
+ [Win 10] CIS - Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
# platforms: win10
platform: windows
description: |
@@ -4337,7 +4337,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn off notifications network usage' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off notifications network usage' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4352,7 +4352,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
+ [Win 10] CIS - Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
# platforms: win10
platform: windows
description: |
@@ -4368,7 +4368,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
+ [Win 10] CIS - Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
# platforms: win10
platform: windows
description: |
@@ -4384,7 +4384,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
+ [Win 10] CIS - Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
# platforms: win10
platform: windows
description: |
@@ -4400,7 +4400,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
+ [Win 10] CIS - Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
# platforms: win10
platform: windows
description: |
@@ -4416,7 +4416,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher
+ [Win 10] CIS - Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher
# platforms: win10
platform: windows
description: |
@@ -4432,7 +4432,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
+ [Win 10] CIS - Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
# platforms: win10
platform: windows
description: |
@@ -4448,7 +4448,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4464,7 +4464,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Include command line in process creation events' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Include command line in process creation events' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4479,7 +4479,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
+ [Win 10] CIS - Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
# platforms: win10
platform: windows
description: |
@@ -4494,7 +4494,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4509,7 +4509,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4524,7 +4524,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'
+ [Win 10] CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'
# platforms: win10
platform: windows
description: |
@@ -4539,7 +4539,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'
+ [Win 10] CIS - Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'
# platforms: win10
platform: windows
description: |
@@ -4554,7 +4554,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'
+ [Win 10] CIS - Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'
# platforms: win10
platform: windows
description: |
@@ -4569,7 +4569,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'
+ [Win 10] CIS - Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'
# platforms: win10
platform: windows
description: |
@@ -4584,7 +4584,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4599,7 +4599,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4616,7 +4616,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'
+ [Win 10] CIS - Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'
# platforms: win10
platform: windows
description: |
@@ -4633,7 +4633,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)
+ [Win 10] CIS - Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)
# platforms: win10
platform: windows
description: |
@@ -4650,7 +4650,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4667,7 +4667,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'
+ [Win 10] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'
# platforms: win10
platform: windows
description: |
@@ -4684,7 +4684,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
+ [Win 10] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
# platforms: win10
platform: windows
description: |
@@ -4701,7 +4701,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4716,7 +4716,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Automated)
+ [Win 10] CIS - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Automated)
# platforms: win10
platform: windows
description: |
@@ -4737,7 +4737,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
+ [Win 10] CIS - Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
# platforms: win10
platform: windows
description: |
@@ -4753,7 +4753,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
+ [Win 10] CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
# platforms: win10
platform: windows
description: |
@@ -4769,7 +4769,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4785,7 +4785,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -4807,7 +4807,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4823,7 +4823,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4839,7 +4839,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4856,7 +4856,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4873,7 +4873,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4889,7 +4889,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4905,7 +4905,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4921,7 +4921,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4937,7 +4937,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4953,7 +4953,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4970,7 +4970,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -4985,7 +4985,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5000,7 +5000,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5016,7 +5016,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5031,7 +5031,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
+ [Win 10] CIS - Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
# platforms: win10
platform: windows
description: |
@@ -5048,7 +5048,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
+ [Win 10] CIS - Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
# platforms: win10
platform: windows
description: |
@@ -5064,7 +5064,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
+ [Win 10] CIS - Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
# platforms: win10
platform: windows
description: |
@@ -5085,7 +5085,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5105,7 +5105,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Enable password encryption' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable password encryption' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5126,7 +5126,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
+ [Win 10] CIS - Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
# platforms: win10
platform: windows
description: |
@@ -5163,7 +5163,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
+ [Win 10] CIS - Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
# platforms: win10
platform: windows
description: |
@@ -5198,7 +5198,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
+ [Win 10] CIS - Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
# platforms: win10
platform: windows
description: |
@@ -5233,7 +5233,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
+ [Win 10] CIS - Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
# platforms: win10
platform: windows
description: |
@@ -5258,7 +5258,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher
+ [Win 10] CIS - Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher
# platforms: win10
platform: windows
description: |
@@ -5290,7 +5290,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Automated)
+ [Win 10] CIS - Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Automated)
# platforms: win10
platform: windows
description: |
@@ -5306,7 +5306,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5321,7 +5321,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not display network selection UI' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not display network selection UI' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5336,7 +5336,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5351,7 +5351,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5366,7 +5366,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5381,7 +5381,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5396,7 +5396,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5411,7 +5411,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5426,7 +5426,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow upload of User Activities' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow upload of User Activities' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5441,7 +5441,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5456,7 +5456,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5471,7 +5471,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5486,7 +5486,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5501,7 +5501,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5516,7 +5516,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5531,7 +5531,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5546,7 +5546,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5561,7 +5561,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5577,7 +5577,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
+ [Win 10] CIS - Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
# platforms: win10
platform: windows
description: |
@@ -5598,7 +5598,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5614,7 +5614,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5630,7 +5630,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the advertising ID' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off the advertising ID' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5646,7 +5646,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5662,7 +5662,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable Windows NTP Server' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable Windows NTP Server' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5677,7 +5677,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: rachelelysia
-- name: CIS - Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
+- name: "[Win 10] CIS - Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'"
# platforms: win10
platform: windows
description: |
@@ -5694,7 +5694,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -5709,7 +5709,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled Force Deny'
+- name: "[Win 10] CIS - Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled Force Deny'"
# platforms: win10
platform: windows
description: |
@@ -5724,7 +5724,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -5740,7 +5740,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -5755,7 +5755,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
+- name: "[Win 10] CIS - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'"
# platforms: win10
platform: windows
description: |
@@ -5770,7 +5770,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled Do not execute any autorun commands'
+- name: "[Win 10] CIS - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled Do not execute any autorun commands'"
# platforms: win10
platform: windows
description: |
@@ -5786,7 +5786,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Turn off Autoplay' is set to 'Enabled All drives'
+- name: "[Win 10] CIS - Ensure 'Turn off Autoplay' is set to 'Enabled All drives'"
# platforms: win10
platform: windows
description: |
@@ -5803,7 +5803,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5819,7 +5819,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5835,7 +5835,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -5856,7 +5856,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -5873,7 +5873,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'
# platforms: win10
platform: windows
description: |
@@ -5890,7 +5890,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher
# platforms: win10
platform: windows
description: |
@@ -5907,7 +5907,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -5924,7 +5924,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -5941,7 +5941,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
# platforms: win10
platform: windows
description: |
@@ -5958,7 +5958,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -5975,7 +5975,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -5992,7 +5992,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6009,7 +6009,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6026,7 +6026,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6043,7 +6043,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6060,7 +6060,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6077,7 +6077,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6098,7 +6098,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -6115,7 +6115,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher
# platforms: win10
platform: windows
description: |
@@ -6132,7 +6132,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
# platforms: win10
platform: windows
description: |
@@ -6149,7 +6149,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6166,7 +6166,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6183,7 +6183,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
# platforms: win10
platform: windows
description: |
@@ -6200,7 +6200,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6217,7 +6217,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6234,7 +6234,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6251,7 +6251,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require additional authentication at startup' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Require additional authentication at startup' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6267,7 +6267,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -6283,7 +6283,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' (Automated)
+ [Win 10] CIS - Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' (Automated)
# platforms: win10
platform: windows
description: |
@@ -6299,7 +6299,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6320,7 +6320,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6337,7 +6337,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48- digit recovery password'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48- digit recovery password'
# platforms: win10
platform: windows
description: |
@@ -6354,7 +6354,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
# platforms: win10
platform: windows
description: |
@@ -6371,7 +6371,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6388,7 +6388,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -6405,7 +6405,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'
# platforms: win10
platform: windows
description: |
@@ -6422,7 +6422,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -6439,7 +6439,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6456,7 +6456,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6472,7 +6472,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6489,7 +6489,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'
+ [Win 10] CIS - Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'
# platforms: win10
platform: windows
description: |
@@ -6506,7 +6506,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6523,7 +6523,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
+ [Win 10] CIS - Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
# platforms: win10
platform: windows
description: |
@@ -6539,7 +6539,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6555,7 +6555,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Use of Camera' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Use of Camera' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6571,7 +6571,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6586,7 +6586,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off cloud optimized content' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off cloud optimized content' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6601,7 +6601,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6616,7 +6616,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
+ [Win 10] CIS - Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
# platforms: win10
platform: windows
description: |
@@ -6631,7 +6631,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6646,7 +6646,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6661,7 +6661,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6676,7 +6676,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
+ [Win 10] CIS - Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
# platforms: win10
platform: windows
description: |
@@ -6695,7 +6695,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
+ [Win 10] CIS - Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
# platforms: win10
platform: windows
description: |
@@ -6710,7 +6710,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6726,7 +6726,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Do not show feedback notifications' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not show feedback notifications' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -6741,7 +6741,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6757,7 +6757,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6773,7 +6773,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6789,7 +6789,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6804,7 +6804,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
+ [Win 10] CIS - Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
# platforms: win10
platform: windows
description: |
@@ -6826,7 +6826,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6842,7 +6842,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6859,7 +6859,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+ [Win 10] CIS - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
# platforms: win10
platform: windows
description: |
@@ -6876,7 +6876,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6893,7 +6893,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
+ [Win 10] CIS - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
# platforms: win10
platform: windows
description: |
@@ -6910,7 +6910,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6927,7 +6927,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+ [Win 10] CIS - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
# platforms: win10
platform: windows
description: |
@@ -6944,7 +6944,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6961,7 +6961,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+ [Win 10] CIS - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
# platforms: win10
platform: windows
description: |
@@ -6978,7 +6978,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -6994,7 +6994,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7010,7 +7010,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7026,7 +7026,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off location' is set to 'Enabled
+ [Win 10] CIS - Ensure 'Turn off location' is set to 'Enabled
# platforms: win10
platform: windows
description: |
@@ -7042,7 +7042,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7058,7 +7058,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7074,7 +7074,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7096,7 +7096,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7112,7 +7112,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
+ [Win 10] CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
# platforms: win10
platform: windows
description: |
@@ -7167,7 +7167,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
+ [Win 10] CIS - Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
# platforms: win10
platform: windows
description: |
@@ -7183,7 +7183,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7199,7 +7199,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7215,7 +7215,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7232,7 +7232,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn off real-time protection' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off real-time protection' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7250,7 +7250,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn on behavior monitoring' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn on behavior monitoring' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7267,7 +7267,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn on script scanning' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn on script scanning' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7284,7 +7284,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Watson events' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Configure Watson events' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7301,7 +7301,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Scan packed executables' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Scan packed executables' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7319,7 +7319,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Scan removable drives' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Scan removable drives' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7336,7 +7336,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn on e-mail scanning' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn on e-mail scanning' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7353,7 +7353,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
+ [Win 10] CIS - Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
# platforms: win10
platform: windows
description: |
@@ -7369,7 +7369,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7385,7 +7385,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7401,7 +7401,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7417,7 +7417,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7433,7 +7433,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7449,7 +7449,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'
+ [Win 10] CIS - Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'
# platforms: win10
platform: windows
description: |
@@ -7465,7 +7465,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'
+ [Win 10] CIS - Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'
# platforms: win10
platform: windows
description: |
@@ -7486,7 +7486,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7503,7 +7503,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7521,7 +7521,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7538,7 +7538,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Allow UI Automation redirection' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow UI Automation redirection' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7553,7 +7553,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Do not allow location redirection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow location redirection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7568,7 +7568,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7583,7 +7583,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
+ [Win 10] CIS - Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
# platforms: win10
platform: windows
description: |
@@ -7598,7 +7598,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Cortana' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Cortana' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7613,7 +7613,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7627,7 +7627,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7642,7 +7642,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7657,7 +7657,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7675,7 +7675,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7690,7 +7690,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7705,7 +7705,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7720,7 +7720,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7735,7 +7735,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7750,7 +7750,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7765,7 +7765,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Require secure RPC communication' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Require secure RPC communication' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7780,7 +7780,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
+ [Win 10] CIS - Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
# platforms: win10
platform: windows
description: |
@@ -7795,7 +7795,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7810,7 +7810,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
+ [Win 10] CIS - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
# platforms: win10
platform: windows
description: |
@@ -7828,7 +7828,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'
+ [Win 10] CIS - Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'
# platforms: win10
platform: windows
description: |
@@ -7844,7 +7844,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
+ [Win 10] CIS - Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
# platforms: win10
platform: windows
description: |
@@ -7859,7 +7859,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7874,7 +7874,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7890,7 +7890,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7906,7 +7906,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7922,7 +7922,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7938,7 +7938,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7954,7 +7954,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the Store application' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off the Store application' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -7970,7 +7970,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow widgets' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow widgets' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -7986,7 +7986,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
+ [Win 10] CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
# platforms: win10
platform: windows
description: |
@@ -8005,7 +8005,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8021,7 +8021,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8037,7 +8037,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow user control over installs' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow user control over installs' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8054,7 +8054,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8070,7 +8070,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8087,7 +8087,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8104,7 +8104,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8120,7 +8120,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Basic authentication' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Basic authentication' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8135,7 +8135,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8150,7 +8150,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8165,7 +8165,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Basic authentication' in WinRM service is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Basic authentication' in WinRM service is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8180,7 +8180,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8197,7 +8197,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow unencrypted traffic' in WinRM service is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow unencrypted traffic' in WinRM service is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8212,7 +8212,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8228,7 +8228,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Remote Shell Access' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow Remote Shell Access' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8243,7 +8243,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8259,7 +8259,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8275,7 +8275,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent users from modifying settings' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent users from modifying settings' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8291,7 +8291,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8306,7 +8306,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Automatic Updates' is set to 'Enabled: 3'
+ [Win 10] CIS - Ensure 'Configure Automatic Updates' is set to 'Enabled: 3'
# platforms: win10
platform: windows
description: |
@@ -8325,7 +8325,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
+ [Win 10] CIS - Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
# platforms: win10
platform: windows
description: |
@@ -8343,7 +8343,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8358,7 +8358,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Manage preview builds' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Manage preview builds' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8373,7 +8373,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
+ [Win 10] CIS - Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
# platforms: win10
platform: windows
description: |
@@ -8391,7 +8391,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
+ [Win 10] CIS - Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
# platforms: win10
platform: windows
description: |
@@ -8409,7 +8409,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Enable App Installer' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable App Installer' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8425,7 +8425,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8441,7 +8441,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8457,7 +8457,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8473,7 +8473,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'
+ [Win 10] CIS - Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'
# platforms: win10
platform: windows
description: |
@@ -8489,7 +8489,7 @@
# contributors: defensivedepth
- name: >
- CIS - Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8505,7 +8505,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Allow search highlights' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Allow search highlights' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8521,7 +8521,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
+ [Win 10] CIS - Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
# platforms: win10
platform: windows
description: |
@@ -8537,7 +8537,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8553,7 +8553,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8570,7 +8570,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8587,7 +8587,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
+ [Win 10] CIS - Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
# platforms: win10
platform: windows
description: |
@@ -8603,7 +8603,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8619,7 +8619,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
+ [Win 10] CIS - Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
# platforms: win10
platform: windows
description: |
@@ -8635,7 +8635,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8651,7 +8651,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8667,7 +8667,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8683,7 +8683,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8700,7 +8700,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
@@ -8716,7 +8716,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled' (User Configuration)
+ [Win 10] CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled' (User Configuration)
# platforms: win10
platform: windows
description: |
@@ -8733,7 +8733,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent Codec Download' is set to 'Enabled'
+ [Win 10] CIS - Ensure 'Prevent Codec Download' is set to 'Enabled'
# platforms: win10
platform: windows
description: |
diff --git a/docs/solutions/cis/win-10/scripts/account-and-password-policies.ps1 b/docs/solutions/cis/win-10/scripts/win10-account-and-password-policies.ps1
similarity index 100%
rename from docs/solutions/cis/win-10/scripts/account-and-password-policies.ps1
rename to docs/solutions/cis/win-10/scripts/win10-account-and-password-policies.ps1
diff --git a/docs/solutions/cis/win-10/scripts/audit-policy.ps1 b/docs/solutions/cis/win-10/scripts/win10-audit-policy.ps1
similarity index 100%
rename from docs/solutions/cis/win-10/scripts/audit-policy.ps1
rename to docs/solutions/cis/win-10/scripts/win10-audit-policy.ps1
diff --git a/docs/solutions/cis/win-10/scripts/user-rights-assignment.ps1 b/docs/solutions/cis/win-10/scripts/win10-user-rights-assignment.ps1
similarity index 100%
rename from docs/solutions/cis/win-10/scripts/user-rights-assignment.ps1
rename to docs/solutions/cis/win-10/scripts/win10-user-rights-assignment.ps1
diff --git a/docs/solutions/cis/win-10/scripts/windows-firewall.ps1 b/docs/solutions/cis/win-10/scripts/win10-windows-firewall.ps1
similarity index 100%
rename from docs/solutions/cis/win-10/scripts/windows-firewall.ps1
rename to docs/solutions/cis/win-10/scripts/win10-windows-firewall.ps1
diff --git a/docs/solutions/cis/win-10/scripts/windows-settings.ps1 b/docs/solutions/cis/win-10/scripts/win10-windows-settings.ps1
similarity index 100%
rename from docs/solutions/cis/win-10/scripts/windows-settings.ps1
rename to docs/solutions/cis/win-10/scripts/win10-windows-settings.ps1
diff --git a/docs/solutions/cis/win-11-intune/configuration-profiles/audit-policies.xml b/docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-audit-policies.xml
similarity index 100%
rename from docs/solutions/cis/win-11-intune/configuration-profiles/audit-policies.xml
rename to docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-audit-policies.xml
diff --git a/docs/solutions/cis/win-11-intune/configuration-profiles/firewall.xml b/docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-firewall.xml
similarity index 100%
rename from docs/solutions/cis/win-11-intune/configuration-profiles/firewall.xml
rename to docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-firewall.xml
diff --git a/docs/solutions/cis/win-11-intune/configuration-profiles/local-security-options.xml b/docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-local-security-options.xml
similarity index 100%
rename from docs/solutions/cis/win-11-intune/configuration-profiles/local-security-options.xml
rename to docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-local-security-options.xml
diff --git a/docs/solutions/cis/win-11-intune/configuration-profiles/user-rights-assignment.xml b/docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-user-rights-assignment.xml
similarity index 100%
rename from docs/solutions/cis/win-11-intune/configuration-profiles/user-rights-assignment.xml
rename to docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-user-rights-assignment.xml
diff --git a/docs/solutions/cis/win-11-intune/configuration-profiles/windows-defender.xml b/docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-windows-defender.xml
similarity index 100%
rename from docs/solutions/cis/win-11-intune/configuration-profiles/windows-defender.xml
rename to docs/solutions/cis/win-11-intune/configuration-profiles/win11-intune-windows-defender.xml
diff --git a/docs/solutions/cis/win-11-intune/policies/bl_win11_intune.yml b/docs/solutions/cis/win-11-intune/policies/bl_win11_intune.yml
index d30bc42690..e68cd09d6d 100644
--- a/docs/solutions/cis/win-11-intune/policies/bl_win11_intune.yml
+++ b/docs/solutions/cis/win-11-intune/policies/bl_win11_intune.yml
@@ -2,7 +2,7 @@
# They are preserved for reference and for use by other tooling.
# Affected fields: purpose, tags, contributors, platforms
-- name: CIS - Ensure 'Device Enumeration Policy' is set to 'Block all (most restrictive)'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Device Enumeration Policy' is set to 'Block all (most restrictive)'"
platform: windows
description: 'This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing. The recommended state for this setting is: Block all (most restrictive). Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher and requires a UEFI BIOS to function.'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Block all (most restrictive). Dma Guard\Device Enumeration Policy
@@ -10,7 +10,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:dma-guard, requirement:standard, critical:false, control:device-enumeration-policy-is-block-all, cis_safeguard_ids:CIS28.1
# purpose: Enforcement
-- name: CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'"
platform: windows
description: 'This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. The recommended state for this setting is: Enabled.'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes
@@ -18,7 +18,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:device-installation, requirement:standard, critical:false, control:prevent-installation-of-devices-using-drivers-that-match-device-setup-classes-is-enabled, cis_safeguard_ids:CIS4.10.9.1.1
# purpose: Enforcement
-- name: 'CIS - Ensure ''Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.'' is set to ''True'' (checked)'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)"
platform: windows
description: 'This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. The recommended state for this setting is: True (checked).'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled, and check the Also apply to matching devices that are already installed. button. Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes
@@ -26,7 +26,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:device-installation, requirement:standard, critical:false, control:prevent-installation-of-devices-also-apply-to-matching-devices-already-installed-is-true, cis_safeguard_ids:CIS4.10.9.1.2
# purpose: Enforcement
-- name: CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The recommended state for this setting is: Enabled.'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered
@@ -34,7 +34,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-can-be-recovered-is-enabled, cis_safeguard_ids:CIS4.11.7.1.1
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Recovery Key'' is set to ''Enabled: Allow 256-bit recovery key'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. The recommended state for this setting is: Enabled: Allow 256-bit recovery key.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Allow 256-bit recovery key. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Recovery Key'
@@ -42,7 +42,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-recovery-key-is-allow-256-bit, cis_safeguard_ids:CIS4.11.7.1.2
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Recovery Password'' is set to ''Enabled: Allow 48-digit recovery password'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. The recommended state for this setting is: Enabled: Allow 48-digit recovery password.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Allow 48-digit recovery password. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Recovery Password'
@@ -50,7 +50,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-recovery-password-is-allow-48-digit, cis_safeguard_ids:CIS4.11.7.1.3
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent'' is set to ''Enabled: True'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a Data Recovery Agent can be used with BitLocker-protected fixed data drives. Before a Data Recovery Agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. The recommended state for this setting is: Enabled: True.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: True. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent'
@@ -58,7 +58,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-allow-data-recovery-agent-is-true, cis_safeguard_ids:CIS4.11.7.1.4
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS'' is set to ''Enabled: Backup recovery passwords and key packages'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. The recommended state for this setting is: Enabled: Backup recovery passwords and key packages.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Backup recovery passwords and key packages. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS:'
@@ -66,7 +66,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-configure-storage-to-ad-ds-is-backup-passwords-and-key-packages, cis_safeguard_ids:CIS4.11.7.1.5
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives'' is set to ''Enabled: False'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. The recommended state for this setting is: Enabled: False.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: False. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives'
@@ -74,7 +74,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-do-not-enable-until-recovery-stored-to-ad-ds-is-false, cis_safeguard_ids:CIS4.11.7.1.6
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard'' is set to ''Enabled: True'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they enable BitLocker on a drive. The recommended state for this setting is: Enabled: True.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: True. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard'
@@ -82,7 +82,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-omit-recovery-options-from-wizard-is-true, cis_safeguard_ids:CIS4.11.7.1.7
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives'' is set to ''Enabled: False'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. The recommended state for this setting is: Enabled: False.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: False. Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives'
@@ -90,7 +90,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-fixed-drives-save-recovery-info-to-ad-ds-is-false, cis_safeguard_ids:CIS4.11.7.1.8
# purpose: Enforcement
-- name: CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The recommended state for this setting is: Enabled.'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered
@@ -98,7 +98,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-can-be-recovered-is-enabled, cis_safeguard_ids:CIS4.11.7.2.1
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Recovery Key'' is set to ''Enabled: Do not allow 256-bit recovery key'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. The recommended state for this setting is: Enabled: Do not allow 256-bit recovery key.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Do not allow 256-bit recovery key. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Recovery Key'
@@ -106,7 +106,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-recovery-key-is-do-not-allow-256-bit, cis_safeguard_ids:CIS4.11.7.2.2
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Recovery Password'' is set to ''Enabled: Require 48-digit recovery password'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. The recommended state for this setting is: Enabled: Require 48-digit recovery password.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Require 48-digit recovery password. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Recovery Password'
@@ -114,7 +114,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-recovery-password-is-require-48-digit, cis_safeguard_ids:CIS4.11.7.2.3
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent'' is set to ''Enabled: False'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "Allow certificate-based data recovery agent" check box is used to specify whether a Data Recovery Agent can be used with BitLocker-protected operating system drives. The recommended state for this setting is: Enabled: False.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: False. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent'
@@ -122,7 +122,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-allow-data-recovery-agent-is-false, cis_safeguard_ids:CIS4.11.7.2.4
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:'' is set to ''Enabled: Store recovery passwords and key packages'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. The recommended state for this setting is: Enabled: Store recovery passwords and key packages.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Store recovery passwords and key packages. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:'
@@ -130,7 +130,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-configure-storage-to-ad-ds-is-store-passwords-and-key-packages, cis_safeguard_ids:CIS4.11.7.2.5
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives'' is set to ''Enabled: True'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. The recommended state for this setting is: Enabled: True.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: True. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives'
@@ -138,7 +138,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-do-not-enable-until-recovery-stored-to-ad-ds-is-true, cis_safeguard_ids:CIS4.11.7.2.6
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard'' is set to ''Enabled: True'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they enable BitLocker on a drive. The recommended state for this setting is: Enabled: True.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: True. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard'
@@ -146,7 +146,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-omit-recovery-options-from-wizard-is-true, cis_safeguard_ids:CIS4.11.7.2.7
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives'' is set to ''Enabled: True'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'"
platform: windows
description: 'This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. The recommended state for this setting is: Enabled: True.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: True. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives'
@@ -154,7 +154,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-how-bitlocker-protected-os-drives-save-recovery-info-to-ad-ds-is-true, cis_safeguard_ids:CIS4.11.7.2.8
# purpose: Enforcement
-- name: 'CIS - Ensure ''Require additional authentication at startup: Configure TPM startup key and PIN:'' is set to ''Enabled: Do not allow startup key and PIN with TPM'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'"
platform: windows
description: 'This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. The recommended state for this setting is: Enabled: Do not allow startup key and PIN with TPM.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Do not allow startup key and PIN with TPM. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup: Configure TPM startup key and PIN:'
@@ -162,7 +162,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:require-additional-authentication-configure-tpm-startup-key-and-pin-is-do-not-allow, cis_safeguard_ids:CIS4.11.7.2.10
# purpose: Enforcement
-- name: 'CIS - Ensure ''Require additional authentication at startup: Configure TPM startup key:'' is set to ''Enabled: Do not allow startup key with TPM'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'"
platform: windows
description: 'This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. The recommended state for this setting is: Enabled: Do not allow startup key with TPM.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Do not allow startup key with TPM. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup: Configure TPM startup key:'
@@ -170,7 +170,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:require-additional-authentication-configure-tpm-startup-key-is-do-not-allow, cis_safeguard_ids:CIS4.11.7.2.11
# purpose: Enforcement
-- name: 'CIS - Ensure ''Require additional authentication at startup: Configure TPM startup PIN:'' is set to ''Enabled: Require startup PIN with TPM'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'"
platform: windows
description: 'This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. The recommended state for this setting is: Enabled: Require startup PIN with TPM. Warning: If silent encryption is desired, this setting must be configured to Do not allow startup PIN with TPM and an exception to this recommendation will be needed.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Require startup PIN with TPM. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup: Configure TPM startup PIN:'
@@ -178,7 +178,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:require-additional-authentication-configure-tpm-startup-pin-is-require, cis_safeguard_ids:CIS4.11.7.2.12
# purpose: Enforcement
-- name: 'CIS - Ensure ''Require additional authentication at startup: Configure TPM startup:'' is set to ''Enabled: Do not allow TPM'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'"
platform: windows
description: 'This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. The recommended state for this setting is: Enabled: Do not allow TPM. Warning: If silent encryption is desired, this setting must be configured to Require TPM and an exception to this recommendation will be needed.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Do not allow TPM. Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup: Configure TPM startup:'
@@ -186,7 +186,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:require-additional-authentication-configure-tpm-startup-is-do-not-allow-tpm, cis_safeguard_ids:CIS4.11.7.2.13
# purpose: Enforcement
-- name: 'CIS - Ensure ''Enforce drive encryption type on operating system drives: Select the encryption type: (device)'' is set to ''Enabled: Used Space Only encryption'' or ''Enabled: Full encryption'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Enforce drive encryption type on operating system drives: Select the encryption type: (device)' is set to 'Enabled: Used Space Only encryption' or 'Enabled: Full encryption'"
platform: windows
description: 'This policy setting configures the encryption type (space only and whole) used by BitLocker Drive Encryption. The recommended state for this setting is: Enabled: Used Space Only encryption or Enabled: Full encryption. Note: Changing the encryption type does not affect drives that are already encrypted or if encryption is in progress.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Used Space Only Encryption or Full encryption Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Enforce drive encryption type on operating system drives: Select the encryption type: (Device)'
@@ -194,7 +194,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:enforce-drive-encryption-type-on-os-drives-is-used-space-only-or-full, cis_safeguard_ids:CIS4.11.7.2.14
# purpose: Enforcement
-- name: CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'"
platform: windows
description: 'This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. The recommended state for this setting is: Enabled.'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker
@@ -202,7 +202,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:deny-write-access-to-removable-drives-not-protected-by-bitlocker-is-enabled, cis_safeguard_ids:CIS4.11.7.3.1
# purpose: Enforcement
-- name: 'CIS - Ensure ''Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization'' is set to ''Enabled: False'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'"
platform: windows
description: 'This policy setting configures whether the computer will be able to write data to BitLocker-protected removable drives that were configured in another organization. The recommended state for this setting is: Enabled: False.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: False. Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization'
@@ -210,7 +210,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:deny-write-access-to-removable-drives-do-not-allow-write-access-to-devices-in-another-org-is-false, cis_safeguard_ids:CIS4.11.7.3.2
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for fixed data drives'' is set to ''XTS-AES 128-bit (default)'' or ''XTS-AES 256-bit'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for fixed data drives' is set to 'XTS-AES 128-bit (default)' or 'XTS-AES 256-bit'"
platform: windows
description: 'This policy setting determines which encryption method should be used for fixed data drives. The recommended state for this setting is: XTS-AES 128-bit (default) or XTS-AES 256-bit'
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to XTS-AES 128-bit (default) or XTS-AES 256-bit. Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)\Select the encryption method for fixed data drives
@@ -218,7 +218,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-drive-encryption-method-fixed-data-drives-is-xts-aes-128-or-256, cis_safeguard_ids:CIS4.11.7.4
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for operating system drives'' is set to ''XTS-AES 128-bit (default)'' or ''XTS-AES 256-bit'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for operating system drives' is set to 'XTS-AES 128-bit (default)' or 'XTS-AES 256-bit'"
platform: windows
description: 'This policy setting determines which encryption method should be used for operating system drives. The recommended state for this setting is: XTS-AES 128-bit (default) or XTS-AES 256-bit'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to XTS-AES 128-bit (default) or XTS-AES 256-bit. Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)\Select the encryption method for operating system drives:'
@@ -226,7 +226,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-drive-encryption-method-os-drives-is-xts-aes-128-or-256, cis_safeguard_ids:CIS4.11.7.5
# purpose: Enforcement
-- name: 'CIS - Ensure ''Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for removable data drives'' is set to ''XTS-AES 128-bit'' or higher'
+- name: "[Win 11 Intune BL] CIS - Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Select the encryption method for removable data drives' is set to 'XTS-AES 128-bit' or higher"
platform: windows
description: 'This policy setting determines which encryption method should be used for operating system drives. The recommended state for this setting is: XTS-AES 128-bit or (higher)'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to: XTS-AES 128-bit or XTS-AES 256-bit. Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)\Select the encryption method for removable data drives'
@@ -234,7 +234,7 @@
# tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:bitlocker, requirement:standard, critical:false, control:choose-drive-encryption-method-removable-data-drives-is-xts-aes-128-or-higher, cis_safeguard_ids:CIS4.11.7.6
# purpose: Enforcement
-- name: 'CIS - Ensure ''Allow Warning For Other Disk Encryption: Allow Standard User Encryption'' is set to ''Enabled'''
+- name: "[Win 11 Intune BL] CIS - Ensure 'Allow Warning For Other Disk Encryption: Allow Standard User Encryption' is set to 'Enabled'"
platform: windows
description: 'This setting allows Admins to enforce "Require Device Encryption" policy for scenarios where policy is pushed while current logged-on user is non-admin/standard user. This policy is tied to "Allow Warning For Other Disk Encryption" policy being set to "0", i.e, Silent encryption is enforced. If "Allow Warning For Other Disk Encryption" isn''t set, or is set to "1", "Require Device Encryption" policy won''t try to encrypt drive(s) if a standard user is the current logged-on user in the system. The recommended state for this setting is: Enabled.'
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Bitlocker\Allow Standard User Encryption'
@@ -243,7 +243,7 @@
# purpose: Enforcement
- platform: windows
- name: CIS - Ensure 'Require additional authentication at startup' is set to 'Enabled'
+ name: "[Win 11 Intune BL] CIS - Ensure 'Require additional authentication at startup' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\%\default\Device\BitLocker\SystemDrivesRequireStartupAuthentication' AND data LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:prevent-enabling-lock-screen-slide-show-is-enabled, cis_safeguard_ids:CIS4.1.3.2
@@ -55,7 +55,7 @@
screen slide show'
- platform: windows
- name: CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:apply-uac-restrictions-to-local-accounts-on-network-logons-is-enabled, cis_safeguard_ids:CIS4.4.1
@@ -103,7 +103,7 @@
accounts on network logons'
- platform: windows
- name: 'CIS - Ensure ''Configure SMB v1 client driver'' is set to ''Enabled: Disable driver (recommended)'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10\Start' AND data = '4';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-smb-v1-client-driver-is-enabled-disable-driver-recommended, cis_safeguard_ids:CIS4.4.2
@@ -127,7 +127,7 @@
Administrative Templates\MS Security Guide\Configure SMB v1 client driver'
- platform: windows
- name: CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-smb-v1-server-is-disabled, cis_safeguard_ids:CIS4.4.3
@@ -143,7 +143,7 @@
Administrative Templates\MS Security Guide\Configure SMB v1 server'
- platform: windows
- name: CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-structured-exception-handling-overwrite-protection-sehop-is-enabled, cis_safeguard_ids:CIS4.4.4
@@ -168,7 +168,7 @@
Handling Overwrite Protection (SEHOP) in Windows operating systems'
- platform: windows
- name: CIS - Ensure 'WDigest Authentication' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'WDigest Authentication' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:wdigest-authentication-is-disabled, cis_safeguard_ids:CIS4.4.5
@@ -200,7 +200,7 @@
may require KB2871997)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)'' is set to ''Disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-autoadminlogon-enable-automatic-logon-not-recommended-is-disabled, cis_safeguard_ids:CIS4.5.1
@@ -232,7 +232,7 @@
Logon (not recommended)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)'' is set to ''Enabled: Highest protection, source routing is completely disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting' AND data = '2';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-disableipsourcerouting-ipv6-ip-source-routing-protection-level-protects-against-packet-spoofing-is-enabled-highest-p, cis_safeguard_ids:CIS4.5.2
@@ -254,7 +254,7 @@
source routing protection level (protects against packet spoofing)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)'' is set to ''Enabled: Highest protection, source routing is completely disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting' AND data = '2';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-disableipsourcerouting-ip-source-routing-protection-level-protects-against-packet-spoofing-is-enabled-highest-protec, cis_safeguard_ids:CIS4.5.3
@@ -280,7 +280,7 @@
routing protection level (protects against packet spoofing)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'' is set to ''Disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-enableicmpredirect-allow-icmp-redirects-to-override-ospf-generated-routes-is-disabled, cis_safeguard_ids:CIS4.5.5
@@ -298,7 +298,7 @@
redirects to override OSPF generated routes'
- platform: windows
- name: 'CIS - Ensure ''MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnDemand' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-nonamereleaseondemand-allow-the-computer-to-ignore-netbios-name-release-requests-except-from-wins-servers-is-enabled, cis_safeguard_ids:CIS4.5.7
@@ -320,7 +320,7 @@
computer to ignore NetBIOS name release requests except from WINS servers'
- platform: windows
- name: 'CIS - Ensure ''MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-safedllsearchmode-enable-safe-dll-search-mode-recommended-is-enabled, cis_safeguard_ids:CIS4.5.9
@@ -372,7 +372,7 @@
DLL search mode (recommended)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)'' is set to ''Enabled: 5 or fewer seconds'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod' AND CAST(data AS INTEGER) <= 5;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-screensavergraceperiod-the-time-in-seconds-before-the-screen-saver-grace-period-expires-0-recommended-is-enabled-5-o, cis_safeguard_ids:CIS4.5.10
@@ -390,7 +390,7 @@
in seconds before the screen saver grace period expires (0 recommended)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning'' is set to ''Enabled: 90% or less'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel' AND CAST(data AS INTEGER) <= 90;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:mss-warninglevel-percentage-threshold-for-the-security-event-log-at-which-the-system-will-generate-a-warning-is-enabled-, cis_safeguard_ids:CIS4.5.13
@@ -414,7 +414,7 @@
warning'
- platform: windows
- name: CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-multicast-name-resolution-is-enabled, cis_safeguard_ids:CIS4.6.4.1
@@ -440,7 +440,7 @@
resolution'
- platform: windows
- name: CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:printing, requirement:standard, critical:false, control:limits-print-driver-installation-to-administrators-is-enabled, cis_safeguard_ids:CIS4.7.8
@@ -736,7 +736,7 @@
Administrators'
- platform: windows
- name: 'CIS - Ensure ''Manage processing of Queue-specific files: Manage processing of Queue-Specific files'' is set to ''Enabled: Limit Queue-specific files to Color profiles'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Manage processing of Queue-specific files: Manage processing of Queue-Specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'"
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_Printing/ManageProcessingOfQueueSpecificFiles
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:include-command-line-in-process-creation-events-is-enabled, cis_safeguard_ids:CIS4.10.4.1
@@ -870,7 +870,7 @@
in process creation events'
- platform: windows
- name: 'CIS - Ensure ''Encryption Oracle Remediation'' is set to ''Enabled: Force Updated Clients'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_CredSsp/AllowEncryptionOracle
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:encryption-oracle-remediation-is-enabled-force-updated-clients, cis_safeguard_ids:CIS4.10.5.1
@@ -892,7 +892,7 @@
Remediation'
- platform: windows
- name: CIS - Ensure 'Remote host allows delegation of nonexportable credentials' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Remote host allows delegation of nonexportable credentials' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.5.2
@@ -924,7 +924,7 @@
delegation of non-exportable credentials'
- platform: windows
- name: CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:prevent-device-metadata-retrieval-from-the-internet-is-enabled, cis_safeguard_ids:CIS4.10.9.2
@@ -948,7 +948,7 @@
retrieval from the Internet'
- platform: windows
- name: 'CIS - Ensure ''Boot-Start Driver Initialization Policy'' is set to ''Enabled: Good, unknown and bad but critical'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/System/BootStartDriverInitialization
' AND mdm_command_output LIKE '%value="3"%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:boot-start-driver-initialization-policy-is-enabled-good-unknown-and-bad-but-critical, cis_safeguard_ids:CIS4.10.13.1
@@ -1006,7 +1006,7 @@
Initialization Policy'
- platform: windows
- name: CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableCdp' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:continue-experiences-on-this-device-is-disabled, cis_safeguard_ids:CIS4.10.19.1
@@ -1024,7 +1024,7 @@
device'
- platform: windows
- name: CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-background-refresh-of-group-policy-is-disabled, cis_safeguard_ids:CIS4.10.19.2
@@ -1044,7 +1044,7 @@
Group'
- platform: windows
- name: CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Connectivity/DisableDownloadingOfPrintDriversOverHTTP
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:block-user-from-showing-account-details-on-sign-in-is-enabled, cis_safeguard_ids:CIS4.10.26.1
@@ -1102,7 +1102,7 @@
on sign-in'
- platform: windows
- name: CIS - Ensure 'Do not display network selection UI' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Do not display network selection UI' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WindowsLogon/DontDisplayNetworkSelectionUI
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-display-network-selection-ui-is-enabled, cis_safeguard_ids:CIS4.10.26.2
@@ -1118,7 +1118,7 @@
Administrative Templates\System\Logon\Do not display network selection UI'
- platform: windows
- name: CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-enumerate-connected-users-on-domain-joined-computers-is-enabled, cis_safeguard_ids:CIS4.10.26.3
@@ -1136,7 +1136,7 @@
domain-joined computers'
- platform: windows
- name: CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enumerate-local-users-on-domain-joined-computers-is-disabled, cis_safeguard_ids:CIS4.10.26.4
@@ -1152,7 +1152,7 @@
computers'
- platform: windows
- name: CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/AboveLock/AllowToasts
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-app-notifications-on-the-lock-screen-is-enabled, cis_safeguard_ids:CIS4.10.26.5
@@ -1174,7 +1174,7 @@
screen'
- platform: windows
- name: CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/CredentialProviders/BlockPicturePassword
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-picture-password-sign-in-is-enabled, cis_safeguard_ids:CIS4.10.26.6
@@ -1194,7 +1194,7 @@
Administrative Templates\System\Logon\Turn off picture password sign-in'
- platform: windows
- name: CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/CredentialProviders/AllowPINLogon
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-on-convenience-pin-sign-in-is-disabled, cis_safeguard_ids:CIS4.10.26.7
@@ -1212,7 +1212,7 @@
Administrative Templates\System\Logon\Turn on convenience PIN sign-in'
- platform: windows
- name: CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Power/RequirePasswordWhenComputerWakesOnBattery
' AND mdm_command_output LIKE '%%' AND mdm_command_output LIKE '%value="1"%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:set-the-default-behavior-for-autorun-is-enabled-do-not-execute-any-autorun-commands, cis_safeguard_ids:CIS4.11.6.2
@@ -1528,7 +1528,7 @@
behavior for AutoRun'
- platform: windows
- name: 'CIS - Ensure ''Turn off Autoplay'' is set to ''Enabled: All drives'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Autoplay/TurnOffAutoPlay
' AND mdm_command_output LIKE '%%' AND mdm_command_output LIKE '%value="255"%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-autoplay-is-enabled-all-drives, cis_safeguard_ids:CIS4.11.6.3
@@ -1556,7 +1556,7 @@
Autoplay'
- platform: windows
- name: CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/CredentialsUI/DisablePasswordReveal
' AND mdm_command_output LIKE '%enabled%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-display-the-password-reveal-button-is-enabled, cis_safeguard_ids:CIS4.11.8.1
@@ -1574,7 +1574,7 @@
display the password reveal button'
- platform: windows
- name: CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/CredentialsUI/EnumerateAdministrators
' AND mdm_command_output LIKE '%disabled%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enumerate-administrator-accounts-on-elevation-is-disabled, cis_safeguard_ids:CIS4.11.8.2
@@ -1592,7 +1592,7 @@
Interface\Enumerate administrator accounts on elevation'
- platform: windows
- name: CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_CredUI/NoLocalPasswordResetQuestions
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:prevent-the-use-of-security-questions-for-local-accounts-is-enabled, cis_safeguard_ids:CIS4.11.8.3
@@ -1612,7 +1612,7 @@
the use of security questions for local accounts'
- platform: windows
- name: CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller\EnableExperimentalFeatures' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-app-installer-experimental-features-is-disabled, cis_safeguard_ids:CIS4.11.10.1
@@ -1630,7 +1630,7 @@
Installer Experimental Features'
- platform: windows
- name: CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller\EnableHashOverride' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-app-installer-hash-override-is-disabled, cis_safeguard_ids:CIS4.11.10.2
@@ -1648,7 +1648,7 @@
Installer Hash Override'
- platform: windows
- name: CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller\EnableMSAppInstallerProtocol' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-app-installer-ms-appinstaller-protocol-is-disabled, cis_safeguard_ids:CIS4.11.10.3
@@ -1668,7 +1668,7 @@
Installer ms-appinstaller protocol'
- platform: windows
- name: CIS - Ensure Application 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Application 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\Retention' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:control-event-log-behavior-when-the-log-file-reaches-its-maximum-size-is-disabled, cis_safeguard_ids:CIS4.11.15.1.1
@@ -1693,7 +1693,7 @@
'
- platform: windows
- name: CIS - Ensure Security 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Security 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\Retention' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:control-event-log-behavior-when-the-log-file-reaches-its-maximum-size-is-disabled, cis_safeguard_ids:CIS4.11.15.2.1
@@ -1718,7 +1718,7 @@
'
- platform: windows
- name: CIS - Ensure Event Log Setup 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Event Log Setup 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\Retention' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:control-event-log-behavior-when-the-log-file-reaches-its-maximum-size-is-disabled, cis_safeguard_ids:CIS4.11.15.3.1
@@ -1743,7 +1743,7 @@
'
- platform: windows
- name: CIS - Ensure System 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure System 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\Retention' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:control-event-log-behavior-when-the-log-file-reaches-its-maximum-size-is-disabled, cis_safeguard_ids:CIS4.11.15.4.1
@@ -1768,7 +1768,7 @@
'
- platform: windows
- name: CIS - Ensure Application 'Specify the maximum log file size (KB) is set to Enabled and 32,768 or greater'
+ name: "[Win 11 Intune L1] CIS - Ensure Application 'Specify the maximum log file size (KB) is set to Enabled and 32,768 or greater'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\MaxSize' AND CAST(data AS INTEGER) >= 32768;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:specify-the-maximum-log-file-size-kb-is-enabled-32768-or-greater, cis_safeguard_ids:CIS4.11.15.1.2
@@ -1792,7 +1792,7 @@
Service\Application\Specify the maximum log file size (KB).'
- platform: windows
- name: CIS - Ensure Setup 'Specify the maximum log file size (KB) is set to Enabled and 32,768 or greater'
+ name: "[Win 11 Intune L1] CIS - Ensure Setup 'Specify the maximum log file size (KB) is set to Enabled and 32,768 or greater'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\MaxSize' AND CAST(data AS INTEGER) >= 32768;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:specify-the-maximum-log-file-size-kb-is-enabled-32768-or-greater, cis_safeguard_ids:CIS4.11.15.3.2
@@ -1816,7 +1816,7 @@
Service\Setup\Specify the maximum log file size (KB).'
- platform: windows
- name: CIS - Ensure System 'Specify the maximum log file size (KB) is set to Enabled and 32,768 or greater'
+ name: "[Win 11 Intune L1] CIS - Ensure System 'Specify the maximum log file size (KB) is set to Enabled and 32,768 or greater'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\MaxSize' AND CAST(data AS INTEGER) >= 32768;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:specify-the-maximum-log-file-size-kb-is-enabled-32768-or-greater, cis_safeguard_ids:CIS4.11.15.4.2
@@ -1840,7 +1840,7 @@
Service\System\Specify the maximum log file size (KB).'
- platform: windows
- name: 'CIS - Ensure ''Specify the maximum log file size (KB)'' is set to ''Enabled: 196,608 or greater'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\MaxSize' AND CAST(data AS INTEGER) >= 196608;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:specify-the-maximum-log-file-size-kb-is-enabled-196608-or-greater, cis_safeguard_ids:CIS4.11.15.2.2
@@ -1860,7 +1860,7 @@
Service\Security\Specify the maximum log file size (KB)'
- platform: windows
- name: 'CIS - Ensure ''Configure Windows Defender SmartScreen'' is set to ''Enabled: Warn and prevent bypass'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-windows-defender-smartscreen-is-enabled-warn-and-prevent-bypass, cis_safeguard_ids:CIS4.11.18.1
@@ -1882,7 +1882,7 @@
Defender SmartScreen'
- platform: windows
- name: CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-data-execution-prevention-for-explorer-is-disabled, cis_safeguard_ids:CIS4.11.18.2
@@ -1904,7 +1904,7 @@
Execution Prevention for Explorer'
- platform: windows
- name: CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableHeapTerminationOnCorruption' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-heap-termination-on-corruption-is-disabled, cis_safeguard_ids:CIS4.11.18.3
@@ -1924,7 +1924,7 @@
termination on corruption'
- platform: windows
- name: CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\PreXPSP2ShellProtocolBehavior' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-shell-protocol-protected-mode-is-disabled, cis_safeguard_ids:CIS4.11.18.4
@@ -1950,7 +1950,7 @@
protocol protected mode'
- platform: windows
- name: CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount\DisableUserAuth' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:block-all-consumer-microsoft-account-user-authentication-is-enabled, cis_safeguard_ids:CIS4.11.27.1
@@ -1970,7 +1970,7 @@
consumer Microsoft account user authentication'
- platform: windows
- name: CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-local-setting-override-for-reporting-to-microsoft-maps-is-disabled, cis_safeguard_ids:CIS4.11.28.3.1
@@ -1994,7 +1994,7 @@
MAPS'
- platform: windows
- name: CIS - Ensure 'Prevent users from sharing files within their profile. (User)' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Prevent users from sharing files within their profile. (User)' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInplaceSharing' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:prevent-users-from-sharing-files-within-their-profile-user-is-enabled, cis_safeguard_ids:CIS4.11.31.1
@@ -2016,7 +2016,7 @@
from sharing files within their profile. (User)'
- platform: windows
- name: CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:remote, requirement:standard, critical:false, control:do-not-allow-passwords-to-be-saved-is-enabled, cis_safeguard_ids:CIS4.11.36.3.2
@@ -2040,7 +2040,7 @@
Desktop Connection Client\Do not allow passwords to be saved'
- platform: windows
- name: CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-allow-drive-redirection-is-enabled, cis_safeguard_ids:CIS4.11.36.4.3.2
@@ -2068,7 +2068,7 @@
redirection'
- platform: windows
- name: CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:always-prompt-for-password-upon-connection-is-enabled, cis_safeguard_ids:CIS4.11.36.4.9.1
@@ -2090,7 +2090,7 @@
Desktop Session Host\Security\Always prompt for password upon connection'
- platform: windows
- name: CIS - Ensure 'Require secure RPC communication' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Require secure RPC communication' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/RemoteDesktopServices/RequireSecureRPCCommunication
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-mpr-notifications-for-the-system-is-disabled, cis_safeguard_ids:CIS4.11.50.1
@@ -2258,7 +2258,7 @@
notifications for the system'
- platform: windows
- name: CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WindowsLogon/AllowAutomaticRestartSignOn
' AND mdm_command_output LIKE '%%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:sign-in-and-lock-last-interactive-user-automatically-after-a-restart-is-disabled, cis_safeguard_ids:CIS4.11.50.2
@@ -2276,7 +2276,7 @@
lock last interactive user automatically after a restart'
- platform: windows
- name: CIS - Ensure Client 'Allow Basic authentication is set to Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Client 'Allow Basic authentication is set to Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowBasic' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-basic-authentication-is-disabled, cis_safeguard_ids:CIS4.11.55.1.1
@@ -2306,7 +2306,7 @@
(WinRM)\WinRM Client\Allow Basic authentication'
- platform: windows
- name: CIS - Ensure Service 'Allow Basic authentication is set to Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Service 'Allow Basic authentication is set to Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-basic-authentication-is-disabled, cis_safeguard_ids:CIS4.11.55.2.1
@@ -2328,7 +2328,7 @@
(WinRM)\WinRM Service\Allow Basic authentication'
- platform: windows
- name: CIS - Ensure Client 'Allow unencrypted traffic' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Client 'Allow unencrypted traffic' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-unencrypted-traffic-is-disabled, cis_safeguard_ids:CIS4.11.55.1.2
@@ -2351,7 +2351,7 @@
(WinRM)\WinRM Client\Allow unencrypted traffic'
- platform: windows
- name: CIS - Ensure Service 'Allow unencrypted traffic' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure Service 'Allow unencrypted traffic' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-unencrypted-traffic-is-disabled, cis_safeguard_ids:CIS4.11.55.2.3
@@ -2374,7 +2374,7 @@
(WinRM)\WinRM Service\Allow unencrypted traffic'
- platform: windows
- name: CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowDigest' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:disallow-digest-authentication-is-enabled, cis_safeguard_ids:CIS4.11.55.1.3
@@ -2392,7 +2392,7 @@
(WinRM)\WinRM Client\Disallow Digest authentication'
- platform: windows
- name: CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:disallow-winrm-from-storing-runas-credentials-is-enabled, cis_safeguard_ids:CIS4.11.55.2.4
@@ -2414,7 +2414,7 @@
(WinRM)\WinRM Service\Disallow WinRM from storing RunAs credentials'
- platform: windows
- name: CIS - Ensure 'Account Logon Audit Credential Validation' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Account Logon Audit Credential Validation' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogon_AuditCredentialValidation
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:account-logon-audit-credential-validation-is-success-and-failure, cis_safeguard_ids:CIS6.1
@@ -2462,7 +2462,7 @@
Auditing\Account Logon Audit Credential Validation'
- platform: windows
- name: CIS - Ensure 'Account Logon Logoff Audit Account Lockout' is set to include 'Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Account Logon Logoff Audit Account Lockout' is set to include 'Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditAccountLockout
' AND (mdm_command_output = '2' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.2
@@ -2484,7 +2484,7 @@
Auditing\Account Logon Logoff Audit Account Lockout'
- platform: windows
- name: CIS - Ensure 'Account Logon Logoff Audit Group Membership' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Account Logon Logoff Audit Group Membership' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditGroupMembership
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.3
@@ -2512,7 +2512,7 @@
Auditing\Account Logon Logoff Audit Group Membership'
- platform: windows
- name: CIS - Ensure 'Account Logon Logoff Audit Logoff' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Account Logon Logoff Audit Logoff' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditLogoff
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.4
@@ -2548,7 +2548,7 @@
Auditing\Account Logon Logoff Audit Logoff'
- platform: windows
- name: CIS - Ensure 'Account Logon Logoff Audit Logon' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Account Logon Logoff Audit Logon' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditLogon
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:account-logon-logoff-audit-logon-is-success-and-failure, cis_safeguard_ids:CIS6.5
@@ -2592,7 +2592,7 @@
Auditing\Account Logon Logoff Audit Logon'
- platform: windows
- name: CIS - Ensure 'Account Management Audit Application Group Management' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Account Management Audit Application Group Management' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountManagement_AuditApplicationGroupManagement
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:account-management-audit-application-group-management-is-success-and-failure, cis_safeguard_ids:CIS6.6
@@ -2632,7 +2632,7 @@
Auditing\Account Management Audit Application Group Management'
- platform: windows
- name: CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditAuthenticationPolicyChange
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.7
@@ -2694,7 +2694,7 @@
Auditing\Audit Authentication Policy Change'
- platform: windows
- name: CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditAuthorizationPolicyChange
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.8
@@ -2736,7 +2736,7 @@
Auditing\Audit Authorization Policy Change'
- platform: windows
- name: CIS - Ensure 'Audit Changes to Audit Policy' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Changes to Audit Policy' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditPolicyChange
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.9
@@ -2790,7 +2790,7 @@
Auditing\Audit Changes to Audit Policy'
- platform: windows
- name: CIS - Ensure 'Audit File Share Access' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit File Share Access' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditFileShare
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:audit-file-share-access-is-success-and-failure, cis_safeguard_ids:CIS6.10
@@ -2808,7 +2808,7 @@
Auditing\Audit File Share Access'
- platform: windows
- name: CIS - Ensure 'Audit Other Logon Logoff Events' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Other Logon Logoff Events' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:audit-other-logon-logoff-events-is-success-and-failure, cis_safeguard_ids:CIS6.11
@@ -2870,7 +2870,7 @@
Auditing\Audit Other Logon Logoff Events'
- platform: windows
- name: CIS - Ensure 'Audit Security Group Management' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Security Group Management' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountManagement_AuditSecurityGroupManagement
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.12
@@ -2958,7 +2958,7 @@
Auditing\Audit Security Group Management'
- platform: windows
- name: CIS - Ensure 'Audit Security System Extension' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Security System Extension' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSecuritySystemExtension
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.13
@@ -3000,7 +3000,7 @@
Auditing\Audit Security System Extension'
- platform: windows
- name: CIS - Ensure 'Audit Special Logon' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit Special Logon' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditSpecialLogon
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.14
@@ -3024,7 +3024,7 @@
Auditing\Audit Special Logon'
- platform: windows
- name: CIS - Ensure 'Audit User Account Management' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Audit User Account Management' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/AccountManagement_AuditUserAccountManagement
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:audit-user-account-management-is-success-and-failure, cis_safeguard_ids:CIS6.15
@@ -3114,7 +3114,7 @@
Auditing\Audit User Account Management'
- platform: windows
- name: CIS - Ensure 'Detailed Tracking Audit PNP Activity' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Detailed Tracking Audit PNP Activity' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/DetailedTracking_AuditPNPActivity
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.16
@@ -3132,7 +3132,7 @@
Auditing\Detailed Tracking Audit PNP Activity'
- platform: windows
- name: CIS - Ensure 'Detailed Tracking Audit Process Creation' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Detailed Tracking Audit Process Creation' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/DetailedTracking_AuditProcessCreation
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.17
@@ -3164,7 +3164,7 @@
Auditing\Detailed Tracking Audit Process Creation'
- platform: windows
- name: CIS - Ensure 'Object Access Audit Detailed File Share' is set to include 'Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Object Access Audit Detailed File Share' is set to include 'Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditDetailedFileShare
' AND (mdm_command_output = '2' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.18
@@ -3188,7 +3188,7 @@
Auditing\Object Access Audit Detailed File Share'
- platform: windows
- name: CIS - Ensure 'Object Access Audit Other Object Access Events' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Object Access Audit Other Object Access Events' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditOtherObjectAccessEvents
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:object-access-audit-other-object-access-events-is-success-and-failure, cis_safeguard_ids:CIS6.19
@@ -3244,7 +3244,7 @@
Auditing\Object Access Audit Other Object Access Events'
- platform: windows
- name: CIS - Ensure 'Object Access Audit Removable Storage' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Object Access Audit Removable Storage' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditRemovableStorage
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:object-access-audit-removable-storage-is-success-and-failure, cis_safeguard_ids:CIS6.20
@@ -3274,7 +3274,7 @@
Auditing\Object Access Audit Removable Storage'
- platform: windows
- name: CIS - Ensure 'Policy Change Audit MPSSVC Rule Level Policy Change' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Policy Change Audit MPSSVC Rule Level Policy Change' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:policy-change-audit-mpssvc-rule-level-policy-change-is-success-and-failure, cis_safeguard_ids:CIS6.21
@@ -3366,7 +3366,7 @@
Auditing\Policy Change Audit MPSSVC Rule Level Policy Change'
- platform: windows
- name: CIS - Ensure 'Policy Change Audit Other Policy Change Events' is set to include 'Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Policy Change Audit Other Policy Change Events' is set to include 'Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditOtherPolicyChangeEvents
' AND (mdm_command_output = '2' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.22
@@ -3428,7 +3428,7 @@
Auditing\Policy Change Audit Other Policy Change Events'
- platform: windows
- name: CIS - Ensure 'Privilege Use Audit Sensitive Privilege Use' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Privilege Use Audit Sensitive Privilege Use' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/PrivilegeUse_AuditSensitivePrivilegeUse
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:privilege-use-audit-sensitive-privilege-use-is-success-and-failure, cis_safeguard_ids:CIS6.23
@@ -3516,7 +3516,7 @@
Auditing\Privilege Use Audit Sensitive Privilege Use'
- platform: windows
- name: CIS - Ensure 'System Audit I Psec Driver' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'System Audit I Psec Driver' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditIPsecDriver
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:system-audit-i-psec-driver-is-success-and-failure, cis_safeguard_ids:CIS6.24
@@ -3633,7 +3633,7 @@
Auditing\System Audit I Psec Driver'
- platform: windows
- name: CIS - Ensure 'System Audit Other System Events' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'System Audit Other System Events' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditOtherSystemEvents
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:system-audit-other-system-events-is-success-and-failure, cis_safeguard_ids:CIS6.25
@@ -3709,7 +3709,7 @@
Auditing\System Audit Other System Events'
- platform: windows
- name: CIS - Ensure 'System Audit Security State Change' is set to include 'Success'
+ name: "[Win 11 Intune L1] CIS - Ensure 'System Audit Security State Change' is set to include 'Success'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSecurityStateChange
' AND (mdm_command_output = '1' OR mdm_command_output = '3');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.26
@@ -3747,7 +3747,7 @@
Auditing\System Audit Security State Change'
- platform: windows
- name: CIS - Ensure 'System Audit System Integrity' is set to 'Success and Failure'
+ name: "[Win 11 Intune L1] CIS - Ensure 'System Audit System Integrity' is set to 'Success and Failure'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSystemIntegrity
' AND mdm_command_output = '3';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:system-audit-system-integrity-is-success-and-failure, cis_safeguard_ids:CIS6.27
@@ -3812,7 +3812,7 @@
Auditing\System Audit System Integrity'
- platform: windows
- name: CIS - Ensure 'Config refresh' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Config refresh' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\%\ConfigRefresh\Enabled' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:config-refresh-is-enabled, cis_safeguard_ids:CIS15.1
@@ -3828,7 +3828,7 @@
Config Refresh\Config refresh'
- platform: windows
- name: CIS - Ensure 'Refresh cadence' is set to '90' (or less)
+ name: "[Win 11 Intune L1] CIS - Ensure 'Refresh cadence' is set to '90' (or less)"
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_GroupPolicy/CSE_NOBACKGROUND
' AND mdm_command_output LIKE '%90%') OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime' AND data = '90');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS15.2
@@ -3845,7 +3845,7 @@
Note: The shortest configurable refresh interval is 30 minutes.'
- platform: windows
- name: CIS - Ensure 'Allow Behavior Monitoring' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Behavior Monitoring' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AllowBehaviorMonitoring
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-behavior-monitoring-is-allowed, cis_safeguard_ids:CIS22.1
@@ -3861,7 +3861,7 @@
Defender\Allow Behavior Monitoring'
- platform: windows
- name: CIS - Ensure 'Allow Email Scanning' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Email Scanning' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AllowEmailScanning
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-email-scanning-is-allowed, cis_safeguard_ids:CIS22.2
@@ -3883,7 +3883,7 @@
Defender\Allow Email Scanning'
- platform: windows
- name: CIS - Ensure 'Allow Full Scan Removable Drive Scanning' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Full Scan Removable Drive Scanning' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AllowFullScanRemovableDriveScanning
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-full-scan-removable-drive-scanning-is-allowed, cis_safeguard_ids:CIS22.3
@@ -3901,7 +3901,7 @@
Defender Antivirus\Allow Full Scan Removable Drive Scanning'
- platform: windows
- name: CIS - Ensure 'Allow Realtime Monitoring' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Realtime Monitoring' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AllowRealtimeMonitoring
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-realtime-monitoring-is-allowed, cis_safeguard_ids:CIS22.4
@@ -3919,7 +3919,7 @@
Defender\Allow Realtime Monitoring'
- platform: windows
- name: CIS - Ensure 'Allow scanning of all downloaded files and attachments' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow scanning of all downloaded files and attachments' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AllowIOAVProtection
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-scanning-of-all-downloaded-files-and-attachments-is-allowed, cis_safeguard_ids:CIS22.5
@@ -3933,7 +3933,7 @@
Defender\Allow scanning of all downloaded files and attachments'
- platform: windows
- name: CIS - Ensure 'Allow Script Scanning' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Script Scanning' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AllowScriptScanning
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-script-scanning-is-allowed, cis_safeguard_ids:CIS22.6
@@ -3949,7 +3949,7 @@
Defender\Allow Script Scanning'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block abuse of exploited vulnerable signed drivers'' is set to ''Block`'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block abuse of exploited vulnerable signed drivers' is set to 'Block`"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%56A863A9-875E-4185-98A7-B882C64B5CE5=1%' OR mdm_command_output LIKE '%56A863A9-875E-4185-98A7-B882C64B5CE5=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.7
@@ -3967,7 +3967,7 @@
Defender\Block abuse of exploited vulnerable signed drivers (Device)'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block Adobe Reader from creating child processes'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block Adobe Reader from creating child processes' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C=1%' OR mdm_command_output LIKE '%7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-adobe-reader-from-creating-child-processes-is-block, cis_safeguard_ids:CIS22.8
@@ -3989,7 +3989,7 @@
Defender\Block Adobe Reader from creating child processes'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block all Office applications from creating child processes'' is set to ''Audit'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block all Office applications from creating child processes' is set to 'Audit' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%D4F940AB-401B-4EFC-AADC-AD5F3C50688A=1%' OR mdm_command_output LIKE '%D4F940AB-401B-4EFC-AADC-AD5F3C50688A=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.9
@@ -4017,7 +4017,7 @@
Defender\Block all Office applications from creating child processes'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block credential stealing from the Windows local security authority subsystem'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block credential stealing from the Windows local security authority subsystem' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2=1%' OR mdm_command_output LIKE '%9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-credential-stealing-from-the-windows-local-security-authority-subsystem-is-block, cis_safeguard_ids:CIS22.10
@@ -4055,7 +4055,7 @@
subsystem'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block executable content from email client and webmail'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block executable content from email client and webmail' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1%' OR mdm_command_output LIKE '%BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-executable-content-from-email-client-and-webmail-is-block, cis_safeguard_ids:CIS22.11
@@ -4081,7 +4081,7 @@
Defender\Block executable content from email client and webmail'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion'' is set to ''Audit'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion' is set to 'Audit' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%01443614-CD74-433A-B99E-2ECDC07BFC25=1%' OR mdm_command_output LIKE '%01443614-CD74-433A-B99E-2ECDC07BFC25=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.12
@@ -4105,7 +4105,7 @@
age, or trusted list criterion'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block execution of potentially obfuscated scripts'' is set to ''Audit'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block execution of potentially obfuscated scripts' is set to 'Audit' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=1%' OR mdm_command_output LIKE '%5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.13
@@ -4133,7 +4133,7 @@
Defender\Block execution of potentially obfuscated scripts'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block JavaScript or VBScript from launching downloaded executable content'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block JavaScript or VBScript from launching downloaded executable content' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%D3E037E1-3EB8-44C8-A917-57927947596D=1%' OR mdm_command_output LIKE '%D3E037E1-3EB8-44C8-A917-57927947596D=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-javascript-or-vbscript-from-launching-downloaded-executable-content-is-block, cis_safeguard_ids:CIS22.14
@@ -4155,7 +4155,7 @@
content'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block Office applications from creating executable content'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block Office applications from creating executable content' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%3B576869-A4EC-4529-8536-B80A7769E899=1%' OR mdm_command_output LIKE '%3B576869-A4EC-4529-8536-B80A7769E899=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-office-applications-from-creating-executable-content-is-block, cis_safeguard_ids:CIS22.15
@@ -4175,7 +4175,7 @@
Defender\Block Office applications from creating executable content'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block Office applications from injecting code into other processes'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block Office applications from injecting code into other processes' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=1%' OR mdm_command_output LIKE '%75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-office-applications-from-injecting-code-into-other-processes-is-block, cis_safeguard_ids:CIS22.16
@@ -4195,7 +4195,7 @@
Defender\Block Office applications from injecting code into other processes'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block Office communication application from creating child processes'' is set to ''Audit'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block Office communication application from creating child processes' is set to 'Audit' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%26190899-1602-49E8-8B27-EB1D0A1CE869=1%' OR mdm_command_output LIKE '%26190899-1602-49E8-8B27-EB1D0A1CE869=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.17
@@ -4213,7 +4213,7 @@
Defender\Block Office communication application from creating child processes'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block persistence through WMI event subscription'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block persistence through WMI event subscription' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%E6DB77E5-3DF2-4CF1-B95A-636979351E5B=1%' OR mdm_command_output LIKE '%E6DB77E5-3DF2-4CF1-B95A-636979351E5B=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-persistence-through-wmi-event-subscription-is-block, cis_safeguard_ids:CIS22.18
@@ -4233,7 +4233,7 @@
Defender\Block persistence through WMI event subscription'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block process creations originating from PSExec and WMI commands'' is set to ''Audit'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block process creations originating from PSExec and WMI commands' is set to 'Audit' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%D1E49AAC-8F56-4280-B9BA-993A6D77406C=1%' OR mdm_command_output LIKE '%D1E49AAC-8F56-4280-B9BA-993A6D77406C=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.19
@@ -4251,7 +4251,7 @@
Defender\Block process creations originating from PSExec and WMI commands'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block untrusted and unsigned processes that run from USB'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block untrusted and unsigned processes that run from USB' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4=1%' OR mdm_command_output LIKE '%B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-untrusted-and-unsigned-processes-that-run-from-usb-is-block, cis_safeguard_ids:CIS22.20
@@ -4269,7 +4269,7 @@
Defender\Block untrusted and unsigned processes that run from USB'
- platform: windows
- name: 'CIS - Ensure ''ASR: Block Win32 API calls from Office macros'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Block Win32 API calls from Office macros' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B=1%' OR mdm_command_output LIKE '%92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-win32-api-calls-from-office-macros-is-block, cis_safeguard_ids:CIS22.21
@@ -4285,7 +4285,7 @@
Defender\Block Win32 API calls from Office macros'
- platform: windows
- name: 'CIS - Ensure ''ASR: Use advanced protection against ransomware'' is set to ''Audit'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'ASR: Use advanced protection against ransomware' is set to 'Audit' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules
' AND (mdm_command_output LIKE '%C1DB55AB-C21A-4637-BB3F-A12568109D35=1%' OR mdm_command_output LIKE '%C1DB55AB-C21A-4637-BB3F-A12568109D35=2%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.22
@@ -4313,7 +4313,7 @@
Defender\Use advanced protection against ransomware'
- platform: windows
- name: CIS - Ensure 'Days Until Aggressive Catchup Quick Scan' is set to '7 days' or fewer
+ name: "[Win 11 Intune L1] CIS - Ensure 'Days Until Aggressive Catchup Quick Scan' is set to '7 days' or fewer"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan\DaysUntilAggressiveCatchupQuickScan' AND data = '7';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.23
@@ -4329,7 +4329,7 @@
Defender\Days Until Aggressive Catchup Quick Scan'
- platform: windows
- name: CIS - Ensure 'Enable Network Protection' is set to 'Enabled (block mode)'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Network Protection' is set to 'Enabled (block mode)'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/EnableNetworkProtection
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-network-protection-is-enabled-block-mode, cis_safeguard_ids:CIS22.26
@@ -4343,7 +4343,7 @@
Defender\Enable Network Protection'
- platform: windows
- name: CIS - Ensure 'Hide Exclusions From Local Users' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Hide Exclusions From Local Users' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalUsers
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:hide-exclusions-from-local-users-is-enabled, cis_safeguard_ids:CIS22.27
@@ -4373,7 +4373,7 @@
Defender\Hide Exclusions From Local Users'
- platform: windows
- name: CIS - Ensure 'Oobe Enable Rtp And Sig Update' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Oobe Enable Rtp And Sig Update' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:oobe-enable-rtp-and-sig-update-is-enabled, cis_safeguard_ids:CIS22.28
@@ -4399,7 +4399,7 @@
Defender\Oobe Enable Rtp And Sig Update'
- platform: windows
- name: CIS - Ensure 'PUA Protection' is set to 'PUA Protection on'
+ name: "[Win 11 Intune L1] CIS - Ensure 'PUA Protection' is set to 'PUA Protection on'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Defender/PUAProtection
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:pua-protection-is-pua-protection-on, cis_safeguard_ids:CIS22.29
@@ -4421,7 +4421,7 @@
Defender\PUA Protection'
- platform: windows
- name: CIS - Ensure 'Quick Scan Include Exclusions' is set to '1'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Quick Scan Include Exclusions' is set to '1'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:quick-scan-include-exclusions-is-1, cis_safeguard_ids:CIS22.30
@@ -4451,7 +4451,7 @@
Defender\Quick Scan Include Exclusions'
- platform: windows
- name: 'CIS - Ensure ''Remote Encryption Protection Configured State'' is set to ''Audit: Generate EDR detections without blocking'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Remote Encryption Protection Configured State' is set to 'Audit: Generate EDR detections without blocking' or higher"
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Defender/Configuration/RemoteEncryptionProtectionConfiguredState
' AND mdm_command_output = '2') OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Configuration\\BehavioralNetworkBlocks\\RemoteEncryptionProtection\\RemoteEncryptionProtectionConfiguredState' AND data = '2');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.32
@@ -4477,7 +4477,7 @@
Defender\Remote Encryption Protection Configured State'
- platform: windows
- name: CIS - Ensure 'DO Download Mode' is NOT set to 'HTTP blended with Internet Peering'
+ name: "[Win 11 Intune L1] CIS - Ensure 'DO Download Mode' is NOT set to 'HTTP blended with Internet Peering'"
query: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization\\DODownloadMode' AND data = 3);
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS23.1
@@ -4541,7 +4541,7 @@
Delivery Optimization\DO Download Mode'
- platform: windows
- name: CIS - Ensure 'Configure System Guard Launch' is set to 'Unmanaged Enables Secure Launch if supported by hardware'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Configure System Guard Launch' is set to 'Unmanaged Enables Secure Launch if supported by hardware'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/DeviceGuard/ConfigureSystemGuardLaunch
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-system-guard-launch-is-unmanaged-enables-secure-launch-if-supported-by-hardware, cis_safeguard_ids:CIS24.1
@@ -4565,7 +4565,7 @@
Device Guard\Configure System Guard Launch'
- platform: windows
- name: CIS - Ensure 'Credential Guard' is set to 'Enabled with UEFI lock'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Credential Guard' is set to 'Enabled with UEFI lock'"
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/DeviceGuard/EnableVirtualizationBasedSecurity
' AND mdm_command_output = '1') OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:credential-guard-is-enabled-with-uefi-lock, cis_safeguard_ids:CIS24.2
@@ -4605,7 +4605,7 @@
Device Guard\Credential Guard'
- platform: windows
- name: CIS - Ensure 'Enable Virtualization Based Security' is set to 'Enable virtualization based security'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Virtualization Based Security' is set to 'Enable virtualization based security'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-virtualization-based-security-is-enable-virtualization-based-security, cis_safeguard_ids:CIS24.3
@@ -4641,7 +4641,7 @@
Device Guard\Enable Virtualization Based Security'
- platform: windows
- name: CIS - Ensure 'Require Platform Security Features' is set to 'Turns on VBS with Secure Boot' or higher
+ name: "[Win 11 Intune L1] CIS - Ensure 'Require Platform Security Features' is set to 'Turns on VBS with Secure Boot' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/DeviceGuard/RequirePlatformSecurityFeatures
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS24.4
@@ -4681,7 +4681,7 @@
Device Guard\Require Platform Security Features'
- platform: windows
- name: CIS - Ensure 'Device Password Enabled' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\DevicePasswordEnabled' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:device-password-enabled-is-enabled, cis_safeguard_ids:CIS26.1
@@ -4723,7 +4723,7 @@
Device Lock\Device Password Enabled'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Alphanumeric Device Password Required'' is set to ''Password or Alphanumeric PIN required'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Alphanumeric Device Password Required' is set to 'Password or Alphanumeric PIN required'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\AlphanumericDevicePasswordRequired' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:device-password-enabled-alphanumeric-device-password-required-is-password-or-alphanumeric-pin-required, cis_safeguard_ids:CIS26.2
@@ -4743,7 +4743,7 @@
Device Lock\Device Password Enabled: Alphanumeric Device Password Required'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Min Device Password Complex Characters'' is set to ''Digits and lowercase letters are required'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Min Device Password Complex Characters' is set to 'Digits and lowercase letters are required'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MinDevicePasswordComplexCharacters' AND data LIKE '%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:device-password-enabled-min-device-password-complex-characters-is-digits-and-lowercase-letters-are-required, cis_safeguard_ids:CIS26.3
@@ -4782,7 +4782,7 @@
re-checked in the settings picker.'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Device Password Expiration'' is set to ''365 or fewer days, but not 0'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Device Password Expiration' is set to '365 or fewer days, but not 0'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\DevicePasswordExpiration' AND CAST(data AS INTEGER) BETWEEN 1 AND 365;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:device-password-enabled-device-password-expiration-is-365-or-fewer-days-but-not-0, cis_safeguard_ids:CIS26.4
@@ -4800,7 +4800,7 @@
Device Lock\Device Password Enabled: Device Password Expiration'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Device Password History'' is set to ''24 or more password(s)'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Device Password History' is set to '24 or more password(s)'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\DevicePasswordHistory' AND data = '24';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:device-password-enabled-device-password-history-is-24-or-more-passwords, cis_safeguard_ids:CIS26.5
@@ -4828,7 +4828,7 @@
Device Lock\Device Password Enabled: Device Password History'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Max Device Password Failed Attempts'' is set to ''5 or fewer failed attempt(s), but not 0'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Max Device Password Failed Attempts' is set to '5 or fewer failed attempt(s), but not 0'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MaxDevicePasswordFailedAttempts' AND data = '5';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:device-password-enabled-max-device-password-failed-attempts-is-5-or-fewer-failed-attempts-but-not-0, cis_safeguard_ids:CIS26.6
@@ -4854,7 +4854,7 @@
Device Lock\Device Password Enabled: Max Device Password Failed Attempts'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Max Inactivity Time Device Lock'' is set to ''15 or fewer minutes, but not 0'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Max Inactivity Time Device Lock' is set to '15 or fewer minutes, but not 0'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MaxInactivityTimeDeviceLock' AND data = '15';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:device-password-enabled-max-inactivity-time-device-lock-is-15-or-fewer-minutes-but-not-0, cis_safeguard_ids:CIS26.7
@@ -4874,7 +4874,7 @@
Device Lock\Device Password Enabled: Max Inactivity Time Device Lock'
- platform: windows
- name: 'CIS - Ensure ''Device Password Enabled: Min Device Password Length'' is set to ''14 or more character(s)'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Device Password Enabled: Min Device Password Length' is set to '14 or more character(s)'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MinDevicePasswordLength' AND data = '14';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:device-password-enabled-min-device-password-length-is-14-or-more-characters, cis_safeguard_ids:CIS26.8
@@ -4908,7 +4908,7 @@
Device Lock\Device Password Enabled: Min Device Password Length'
- platform: windows
- name: CIS - Ensure 'Minimum Password Age' is set to '1 or more day(s)'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Minimum Password Age' is set to '1 or more day(s)'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/DeviceLock/MinimumPasswordAge
' AND CAST(mdm_command_output AS INTEGER) >= 1;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:minimum-password-age-is-1-or-more-days, cis_safeguard_ids:CIS26.9
@@ -4926,7 +4926,7 @@
Device Lock\Minimum Password Age'
- platform: windows
- name: CIS - Ensure 'Allow Cortana' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Cortana' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Experience/AllowCortana
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-cortana-is-block, cis_safeguard_ids:CIS34.1
@@ -4940,7 +4940,7 @@
Experience\Allow Cortana'
- platform: windows
- name: CIS - Ensure 'Allow Spotlight Collection (User)' is set to '0'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Spotlight Collection (User)' is set to '0'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\S-1-%\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsSpotlightFeatures' AND data = '1' LIMIT 1;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-spotlight-collection-user-is-0, cis_safeguard_ids:CIS34.2
@@ -4958,7 +4958,7 @@
Experience\Allow Spotlight Collection (User)'
- platform: windows
- name: CIS - Ensure 'Disable Consumer Account State Content' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Disable Consumer Account State Content' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Experience/DisableConsumerAccountStateContent
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:disable-consumer-account-state-content-is-enabled, cis_safeguard_ids:CIS34.4
@@ -4974,7 +4974,7 @@
Experience\Disable Consumer Account State Content'
- platform: windows
- name: CIS - Ensure 'Do not show feedback notifications' is set to 'Feedback notifications are disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Do not show feedback notifications' is set to 'Feedback notifications are disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Experience\DoNotShowFeedbackNotifications' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:do-not-show-feedback-notifications-is-feedback-notifications-are-disabled, cis_safeguard_ids:CIS34.5
@@ -4990,7 +4990,7 @@
Experience\Do not show feedback notifications'
- platform: windows
- name: CIS - Ensure 'Enable Domain Network Firewall' is set to 'True'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall' is set to 'True'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-is-true, cis_safeguard_ids:CIS38.1
@@ -5010,7 +5010,7 @@
Firewall\Enable Domain Network Firewall'
- platform: windows
- name: 'CIS - Ensure ''Enable Domain Network Firewall: Default Inbound Action for Domain Profile'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall: Default Inbound Action for Domain Profile' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultInboundAction
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-default-inbound-action-for-domain-profile-is-block, cis_safeguard_ids:CIS38.2
@@ -5028,7 +5028,7 @@
Profile'
- platform: windows
- name: CIS - Ensure 'Enable Domain Network Firewall Disable Inbound Notifications' is set to 'True'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall Disable Inbound Notifications' is set to 'True'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DomainProfile\DisableNotifications' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-disable-inbound-notifications-is-true, cis_safeguard_ids:CIS38.3
@@ -5052,7 +5052,7 @@
Firewall\Enable Domain Network Firewall: Disable Inbound Notifications'
- platform: windows
- name: CIS - Ensure 'Enable Domain Network Firewall Enable Log Dropped Packets' is set to 'Yes'. Enable Logging Of Dropped Packets
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall Enable Log Dropped Packets' is set to 'Yes'. Enable Logging Of Dropped Packets"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets
' AND mdm_command_output = 'true';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-enable-log-dropped-packets-is-yes-enable-logging-of-dropped-packets, cis_safeguard_ids:CIS38.4
@@ -5070,7 +5070,7 @@
Firewall\Enable Domain Network Firewall: Enable Log Dropped Packets'
- platform: windows
- name: CIS - Ensure 'Enable Domain Network Firewall Enable Log Success Connections' is set to 'Enable Logging Of Successful Connections'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall Enable Log Success Connections' is set to 'Enable Logging Of Successful Connections'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DomainProfile\Logging\LogSuccessfulConnections' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-enable-log-success-connections-is-enable-logging-of-successful-connections, cis_safeguard_ids:CIS38.5
@@ -5090,7 +5090,7 @@
Firewall\Enable Domain Network Firewall: Enable Log Success Connections'
- platform: windows
- name: 'CIS - Ensure ''Enable Domain Network Firewall: Log File Path'' is set to ''%SystemRoot%\System32\logfiles\firewall\domainfw.log'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall: Log File Path' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath
' AND mdm_command_output LIKE '%domainfw.log';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-log-file-path-is-systemroot-system32-logfiles-firewall-domainfw-log, cis_safeguard_ids:CIS38.6
@@ -5110,7 +5110,7 @@
Firewall\Enable Domain Network Firewall: Log File Path'
- platform: windows
- name: 'CIS - Ensure ''Enable Domain Network Firewall: Log Max File Size'' is set to ''16,384 KB or greater'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Domain Network Firewall: Log Max File Size' is set to '16,384 KB or greater'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize
' AND CAST(mdm_command_output AS INTEGER) >= 16384;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-log-max-file-size-is-16384-kb-or-greater, cis_safeguard_ids:CIS38.7
@@ -5126,7 +5126,7 @@
Firewall\Enable Domain Network Firewall: Log Max File Size (KB)'
- platform: windows
- name: CIS - Ensure 'Enable Private Network Firewall' is set to 'True'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall' is set to 'True'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-is-true, cis_safeguard_ids:CIS38.8
@@ -5146,7 +5146,7 @@
Firewall\Enable Private Network Firewall'
- platform: windows
- name: 'CIS - Ensure ''Enable Private Network Firewall: Default Inbound Action for Private Profile'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall: Default Inbound Action for Private Profile' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultInboundAction
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-default-inbound-action-for-private-profile-is-block, cis_safeguard_ids:CIS38.9
@@ -5164,7 +5164,7 @@
Profile'
- platform: windows
- name: CIS - Ensure 'Enable Private Network Firewall Disable Inbound Notifications' is set to 'True'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall Disable Inbound Notifications' is set to 'True'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\StandardProfile\DisableNotifications' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-disable-inbound-notifications-is-true, cis_safeguard_ids:CIS38.10
@@ -5188,7 +5188,7 @@
Firewall\Enable Private Network Firewall: Disable Inbound Notifications'
- platform: windows
- name: CIS - Ensure 'Enable Private Network Firewall Enable Log Success Connections' is set to 'Enable Logging Of Successful Connections'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall Enable Log Success Connections' is set to 'Enable Logging Of Successful Connections'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\StandardProfile\Logging\LogSuccessfulConnections' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-enable-log-success-connections-is-enable-logging-of-successful-connections, cis_safeguard_ids:CIS38.11
@@ -5208,7 +5208,7 @@
Firewall\Enable Private Network Firewall: Enable Log Success Connections'
- platform: windows
- name: 'CIS - Ensure ''Enable Private Network Firewall: Enable Log Dropped Packets'' is set to ''Yes: Enable Logging Of Dropped Packets'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall: Enable Log Dropped Packets' is set to 'Yes: Enable Logging Of Dropped Packets'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets
' AND mdm_command_output = 'true';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-enable-log-dropped-packets-is-yes-enable-logging-of-dropped-packets, cis_safeguard_ids:CIS38.12
@@ -5226,7 +5226,7 @@
Firewall\Enable Private Network Firewall: Enable Log Dropped Packets'
- platform: windows
- name: 'CIS - Ensure ''Enable Private Network Firewall: Log File Path'' is set to ''%SystemRoot%\System32\logfiles\firewall\privatefw.log'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall: Log File Path' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath
' AND mdm_command_output LIKE '%privatefw.log';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-log-file-path-is-systemroot-system32-logfiles-firewall-privatefw-log, cis_safeguard_ids:CIS38.13
@@ -5246,7 +5246,7 @@
Firewall\Enable Private Network Firewall: Log File Path'
- platform: windows
- name: 'CIS - Ensure ''Enable Private Network Firewall: Log Max File Size'' is set to ''16,384 KB or greater'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Private Network Firewall: Log Max File Size' is set to '16,384 KB or greater'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize
' AND CAST(mdm_command_output AS INTEGER) >= 16384;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-log-max-file-size-is-16384-kb-or-greater, cis_safeguard_ids:CIS38.14
@@ -5262,7 +5262,7 @@
Firewall\Enable Private Network Firewall: Log Max File Size (KB)'
- platform: windows
- name: CIS - Ensure 'Enable Public Network Firewall' is set to 'True'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall' is set to 'True'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-is-true, cis_safeguard_ids:CIS38.15
@@ -5282,7 +5282,7 @@
Firewall\Enable Public Network Firewall'
- platform: windows
- name: 'CIS - Ensure ''Enable Public Network Firewall: Allow Local Ipsec Policy Merge'' is set to ''False'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall: Allow Local Ipsec Policy Merge' is set to 'False'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge
' AND mdm_command_output = 'false';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-allow-local-ipsec-policy-merge-is-false, cis_safeguard_ids:CIS38.16
@@ -5300,7 +5300,7 @@
Firewall\Enable Public Network Firewall: Allow Local Ipsec Policy Merge'
- platform: windows
- name: 'CIS - Ensure ''Enable Public Network Firewall: Allow Local Policy Merge'' is set to ''False'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall: Allow Local Policy Merge' is set to 'False'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge
' AND mdm_command_output = 'false';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-allow-local-policy-merge-is-false, cis_safeguard_ids:CIS38.17
@@ -5324,7 +5324,7 @@
Firewall\Enable Public Network Firewall: Allow Local Policy Merge'
- platform: windows
- name: 'CIS - Ensure ''Enable Public Network Firewall: Default Inbound Action for Public Profile'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall: Default Inbound Action for Public Profile' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultInboundAction
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-default-inbound-action-for-public-profile-is-block, cis_safeguard_ids:CIS38.18
@@ -5342,7 +5342,7 @@
Profile'
- platform: windows
- name: CIS - Ensure 'Enable Public Network Firewall Disable Inbound Notifications' is set to 'True'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall Disable Inbound Notifications' is set to 'True'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\PublicProfile\DisableNotifications' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-disable-inbound-notifications-is-true, cis_safeguard_ids:CIS38.19
@@ -5358,7 +5358,7 @@
Firewall\Enable Public Network Firewall: Disable Inbound Notifications'
- platform: windows
- name: CIS - Ensure 'Enable Public Network Firewall Enable Log Dropped Packets' is set to 'Enable Logging Of Dropped Packets'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall Enable Log Dropped Packets' is set to 'Enable Logging Of Dropped Packets'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets
' AND mdm_command_output = 'true';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-enable-log-dropped-packets-is-yes-enable-logging-of-dropped-packets, cis_safeguard_ids:CIS38.20
@@ -5376,7 +5376,7 @@
Firewall\Enable Public Network Firewall: Enable Log Dropped Packets'
- platform: windows
- name: CIS - Ensure 'Enable Public Network Firewall Enable Log Success Connections' is set to 'Enable Logging Of Successful Connections'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall Enable Log Success Connections' is set to 'Enable Logging Of Successful Connections'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\PublicProfile\Logging\LogSuccessfulConnections' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-enable-log-success-connections-is-enable-logging-of-successful-connections, cis_safeguard_ids:CIS38.21
@@ -5396,7 +5396,7 @@
Firewall\Enable Public Network Firewall: Enable Log success connections'
- platform: windows
- name: 'CIS - Ensure ''Enable Public Network Firewall: Log File Path'' is set to ''%SystemRoot%\System32\logfiles\firewall\publicfw.log'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall: Log File Path' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath
' AND mdm_command_output LIKE '%publicfw.log';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-log-file-path-is-systemroot-system32-logfiles-firewall-publicfw-log, cis_safeguard_ids:CIS38.22
@@ -5416,7 +5416,7 @@
Firewall\Enable Public Network Firewall: Log File Path'
- platform: windows
- name: 'CIS - Ensure ''Enable Public Network Firewall: Log Max File Size'' is set to ''16,384 KB or greater'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Public Network Firewall: Log Max File Size' is set to '16,384 KB or greater'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize
' AND CAST(mdm_command_output AS INTEGER) >= 16384;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-log-max-file-size-is-16384-kb-or-greater, cis_safeguard_ids:CIS38.23
@@ -5432,7 +5432,7 @@
Firewall\Enable Public Network Firewall: Log Max File Size (KB)'
- platform: windows
- name: CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LanmanWorkstation/EnableInsecureGuestLogons
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-insecure-guest-logons-is-disabled, cis_safeguard_ids:CIS46.1
@@ -5448,7 +5448,7 @@
Lanman Workstation\Enable insecure guest logons'
- platform: windows
- name: 'CIS - Ensure ''Accounts: Enable Guest account status'' is set to ''Disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Accounts: Enable Guest account status' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:accounts-enable-guest-account-status-is-disabled, cis_safeguard_ids:CIS49.1
@@ -5472,7 +5472,7 @@
Local Policies Security Options\Accounts: Guest account status'
- platform: windows
- name: 'CIS - Ensure ''Accounts: Limit local account use of blank passwords to console logon only'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only-is-enabled, cis_safeguard_ids:CIS49.2
@@ -5496,7 +5496,7 @@
passwords to console logon only'
- platform: windows
- name: 'CIS - Ensure ''Interactive logon: Do not display last signed-in'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Interactive logon: Do not display last signed-in' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:interactive-logon-do-not-display-last-signed-in-is-enabled, cis_safeguard_ids:CIS49.6
@@ -5533,7 +5533,7 @@
1703.'
- platform: windows
- name: 'CIS - Ensure ''Interactive logon: Do not require CTRL+ALT+DEL'' is set to ''Disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:interactive-logon-do-not-require-ctrl-alt-del-is-disabled, cis_safeguard_ids:CIS49.7
@@ -5551,7 +5551,7 @@
CTRL+ALT+DEL'
- platform: windows
- name: 'CIS - Ensure ''Interactive logon: Machine inactivity limit'' is set to ''900 or fewer second(s), but not 0'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
' AND CAST(mdm_command_output AS INTEGER) > 0 AND CAST(mdm_command_output AS INTEGER) <= 900;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:interactive-logon-machine-inactivity-limit-is-900-or-fewer-seconds-but-not-0, cis_safeguard_ids:CIS49.8
@@ -5571,7 +5571,7 @@
Local Policies Security Options\Interactive logon: Machine inactivity limit'
- platform: windows
- name: 'CIS - Ensure ''Interactive logon: Smart card removal behavior'' is set to ''Lock Workstation'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS49.11
@@ -5595,7 +5595,7 @@
behavior'
- platform: windows
- name: 'CIS - Ensure ''Microsoft network client: Digitally sign communications (always)'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:microsoft-network-client-digitally-sign-communications-always-is-enabled, cis_safeguard_ids:CIS49.12
@@ -5625,7 +5625,7 @@
communications (always)'
- platform: windows
- name: 'CIS - Ensure ''Microsoft network client: Digitally sign communications (if server agrees)'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-client-digitally-sign-communications-if-server-agrees-is-enabled, cis_safeguard_ids:CIS49.13
@@ -5647,7 +5647,7 @@
communications (if server agrees)'
- platform: windows
- name: 'CIS - Ensure ''Microsoft network client: Send unencrypted password to third-party SMB servers'' is set to ''Disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers-is-disabled, cis_safeguard_ids:CIS49.14
@@ -5673,7 +5673,7 @@
password to third-party SMB servers'
- platform: windows
- name: 'CIS - Ensure ''Microsoft network server: Digitally sign communications (always)'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-server-digitally-sign-communications-always-is-enabled, cis_safeguard_ids:CIS49.15
@@ -5693,7 +5693,7 @@
communications (always)'
- platform: windows
- name: 'CIS - Ensure ''Microsoft network server: Digitally sign communications (if client agrees)'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-server-digitally-sign-communications-if-client-agrees-is-enabled, cis_safeguard_ids:CIS49.16
@@ -5719,7 +5719,7 @@
communications (if client agrees)'
- platform: windows
- name: 'CIS - Ensure ''Network access: Do not allow anonymous enumeration of SAM accounts'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-is-enabled, cis_safeguard_ids:CIS49.17
@@ -5745,7 +5745,7 @@
enumeration of SAM accounts'
- platform: windows
- name: 'CIS - Ensure ''Network access: Do not allow anonymous enumeration of SAM accounts and shares'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares-is-enabled, cis_safeguard_ids:CIS49.18
@@ -5769,7 +5769,7 @@
enumeration of SAM accounts and shares'
- platform: windows
- name: 'CIS - Ensure ''Network access: Restrict anonymous access to Named Pipes and Shares'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-restrict-anonymous-access-to-named-pipes-and-shares-is-enabled, cis_safeguard_ids:CIS49.19
@@ -5799,7 +5799,7 @@
Named Pipes and Shares'
- platform: windows
- name: 'CIS - Ensure ''Network access: Restrict clients allowed to make remote calls to SAM'' is set to ''Administrators: Remote Access: Allow'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
' AND mdm_command_output LIKE '%BA%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-restrict-clients-allowed-to-make-remote-calls-to-sam-is-administrators-remote-access-allow, cis_safeguard_ids:CIS49.20
@@ -5837,7 +5837,7 @@
make remote calls to SAM'
- platform: windows
- name: 'CIS - Ensure ''Network security: Allow Local System to use computer identity for NTLM'' is set to ''Allow'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Allow'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-allow-local-system-to-use-computer-identity-for-ntlm-is-allow, cis_safeguard_ids:CIS49.21
@@ -5857,7 +5857,7 @@
computer identity for NTLM'
- platform: windows
- name: 'CIS - Ensure ''Network Security: Allow PKU2U authentication requests'' is set to ''Block'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network Security: Allow PKU2U authentication requests' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:network-security-allow-pku2u-authentication-requests-is-block, cis_safeguard_ids:CIS49.22
@@ -5905,7 +5905,7 @@
requests to this computer'
- platform: windows
- name: 'CIS - Ensure ''Network security: Do not store LAN Manager hash value on next password change'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-do-not-store-lan-manager-hash-value-on-next-password-change-is-enabled, cis_safeguard_ids:CIS49.23
@@ -5935,7 +5935,7 @@
hash value on next password change'
- platform: windows
- name: 'CIS - Ensure ''Network security: LAN Manager authentication level'' is set to ''Send LM and NTLMv2 responses only. Refuse LM and NTLM'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send LM and NTLMv2 responses only. Refuse LM and NTLM'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
' AND mdm_command_output = '5';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-lan-manager-authentication-level-is-send-lm-and-ntlmv2-responses-only-refuse-lm-and-ntlm, cis_safeguard_ids:CIS49.24
@@ -6003,7 +6003,7 @@
level'
- platform: windows
- name: CIS - Ensure 'Network Security Minimum Session Security For NTLMSSP Based Clients' is set to 'Require NTLM and 128-bit encryption'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network Security Minimum Session Security For NTLMSSP Based Clients' is set to 'Require NTLM and 128-bit encryption'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
' AND mdm_command_output = '537395200';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-minimum-session-security-for-ntlmssp-based-clients-is-require-ntlm-and-128-bit-encryption, cis_safeguard_ids:CIS49.25
@@ -6031,7 +6031,7 @@
for NTLM SSP based (including secure RPC) clients'
- platform: windows
- name: CIS - Ensure 'Network Security Minimum Session Security For NTLMSSP Based Servers' is set to 'Require NTLM and 128bit encryption'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network Security Minimum Session Security For NTLMSSP Based Servers' is set to 'Require NTLM and 128bit encryption'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
' AND mdm_command_output = '537395200';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS49.26
@@ -6059,7 +6059,7 @@
for NTLM SSP based (including secure RPC) servers'
- platform: windows
- name: 'CIS - Ensure ''Network security: Restrict NTLM: Audit Incoming NTLM Traffic'' is set to ''Enable auditing for all accounts'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
' AND mdm_command_output = '2';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:network-security-restrict-ntlm-audit-incoming-ntlm-traffic-is-enable-auditing-for-all-accounts, cis_safeguard_ids:CIS49.27
@@ -6079,7 +6079,7 @@
Incoming NTLM Traffic'
- platform: windows
- name: 'CIS - Ensure ''User Account Control: Behavior of the elevation prompt for administrators'' is set to ''Prompt for consent on the secure desktop'' or higher'
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control: Behavior of the elevation prompt for administrators' is set to 'Prompt for consent on the secure desktop' or higher"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
' AND mdm_command_output = '2';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS49.28
@@ -6101,7 +6101,7 @@
elevation prompt for administrators'
- platform: windows
- name: 'CIS - Ensure ''User Account Control: Behavior of the elevation prompt for standard users'' is set to ''Automatically deny elevation requests'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-behavior-of-the-elevation-prompt-for-standard-users-is-automatically-deny-elevation-requests, cis_safeguard_ids:CIS49.29
@@ -6119,7 +6119,7 @@
elevation prompt for standard users'
- platform: windows
- name: 'CIS - Ensure ''User Account Control: Detect application installations and prompt for elevation'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-detect-application-installations-and-prompt-for-elevation-is-enabled, cis_safeguard_ids:CIS49.30
@@ -6137,7 +6137,7 @@
installations and prompt for elevation'
- platform: windows
- name: 'CIS - Ensure ''User Account Control: Only elevate UIAccess applications that are installed in secure locations'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations-is-enabled, cis_safeguard_ids:CIS49.31
@@ -6177,7 +6177,7 @@
applications that are installed in secure locations'
- platform: windows
- name: CIS - Ensure 'User Account Control Use Admin Approval Mode' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control Use Admin Approval Mode' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:user-account-control-use-admin-approval-mode-is-enabled, cis_safeguard_ids:CIS49.32
@@ -6193,7 +6193,7 @@
Local Policies Security Options\User Account Control: Use Admin Approval Mode'
- platform: windows
- name: 'CIS - Ensure ''User Account Control: Switch to the secure desktop when prompting for elevation'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation-is-enabled, cis_safeguard_ids:CIS49.33
@@ -6211,7 +6211,7 @@
desktop when prompting for elevation'
- platform: windows
- name: CIS - Ensure 'User Account Control Run all administrators in Admin Approval Mode' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control Run all administrators in Admin Approval Mode' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-run-all-administrators-in-admin-approval-mode-is-enabled, cis_safeguard_ids:CIS49.34
@@ -6235,7 +6235,7 @@
in Admin Approval Mode'
- platform: windows
- name: 'CIS - Ensure ''User Account Control: Virtualize file and registry write failures to per-user locations'' is set to ''Enabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations-is-enabled, cis_safeguard_ids:CIS49.35
@@ -6273,7 +6273,7 @@
registry write failures to per-user locations'
- platform: windows
- name: CIS - Ensure 'Configure Lsa Protected Process is set to 'Enabled with UEFI Lock...'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Configure Lsa Protected Process is set to 'Enabled with UEFI Lock...'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\RunAsPPL' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS50.1
@@ -6297,7 +6297,7 @@
Local Security Authority\Configure Lsa Protected Process'
- platform: windows
- name: CIS - Ensure 'Allow apps from the Microsoft app store to auto update' is set to 'Allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow apps from the Microsoft app store to auto update' is set to 'Allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAppStoreAutoUpdate
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-apps-from-the-microsoft-app-store-to-auto-update-is-allowed, cis_safeguard_ids:CIS55.1
@@ -6313,7 +6313,7 @@
Microsoft App Store\Allow apps from the Microsoft app store to auto update'
- platform: windows
- name: CIS - Ensure 'Allow Game DVR' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Game DVR' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/AllowGameDVR
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-game-dvr-is-block, cis_safeguard_ids:CIS55.2
@@ -6329,7 +6329,7 @@
Microsoft App Store\Allow Game DVR'
- platform: windows
- name: CIS - Ensure 'Block Non Admin User Install' is set to 'Allow'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Block Non Admin User Install' is set to 'Allow'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:block-non-admin-user-install-is-allow, cis_safeguard_ids:CIS55.4
@@ -6347,7 +6347,7 @@
Microsoft App Store\Block Non Admin User Install'
- platform: windows
- name: CIS - Ensure 'MSI Allow user control over installs' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSI Allow user control over installs' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/MSIAllowUserControlOverInstall
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:msi-allow-user-control-over-installs-is-disabled, cis_safeguard_ids:CIS55.6
@@ -6375,7 +6375,7 @@
Microsoft App Store\MSI Allow user control over installs'
- platform: windows
- name: CIS - Ensure 'MSI Always install with elevated privileges' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSI Always install with elevated privileges' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:msi-always-install-with-elevated-privileges-is-disabled, cis_safeguard_ids:CIS55.7
@@ -6403,7 +6403,7 @@
Microsoft App Store\MSI Always install with elevated privileges'
- platform: windows
- name: CIS - Ensure 'MSI Always install with elevated privileges (User)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'MSI Always install with elevated privileges (User)' is set to 'Disabled'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\S-1-%\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:msi-always-install-with-elevated-privileges-user-is-disabled, cis_safeguard_ids:CIS55.8
@@ -6431,7 +6431,7 @@
Microsoft App Store\MSI Always install with elevated privileges (User)'
- platform: windows
- name: CIS - Ensure 'Allow Input Personalization' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Input Personalization' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Privacy/AllowInputPersonalization
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-input-personalization-is-block, cis_safeguard_ids:CIS68.2
@@ -6455,7 +6455,7 @@
Privacy\Allow Input Personalization'
- platform: windows
- name: 'CIS - Ensure ''Let Apps Activate With Voice Above Lock'' is set to ''Enabled: Force Deny'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Let Apps Activate With Voice Above Lock' is set to 'Enabled: Force Deny'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Privacy/LetAppsActivateWithVoiceAboveLock
' AND mdm_command_output = '2';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:let-apps-activate-with-voice-above-lock-is-enabled-force-deny, cis_safeguard_ids:CIS68.4
@@ -6471,7 +6471,7 @@
Privacy\Let Apps Activate With Voice Above Lock'
- platform: windows
- name: CIS - Ensure 'Allow Indexing Encrypted Stores Or Items' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Indexing Encrypted Stores Or Items' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Search/AllowIndexingEncryptedStoresOrItems
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-indexing-encrypted-stores-or-items-is-block, cis_safeguard_ids:CIS72.2
@@ -6491,7 +6491,7 @@
Search\Allow Indexing Encrypted Stores Or Items'
- platform: windows
- name: CIS - Ensure 'Allow Search To Use Location' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Search To Use Location' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Search/AllowSearchToUseLocation
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-search-to-use-location-is-block, cis_safeguard_ids:CIS72.3
@@ -6507,7 +6507,7 @@
Search\Allow search to use location'
- platform: windows
- name: CIS - Ensure 'Notify Malicious' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Notify Malicious' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WebThreatDefense/NotifyMalicious
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:notify-malicious-is-enabled, cis_safeguard_ids:CIS76.1.1
@@ -6533,7 +6533,7 @@
Smart Screen\Enhanced Phishing Protection\Notify Malicious'
- platform: windows
- name: CIS - Ensure 'Notify Password Reuse' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Notify Password Reuse' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WebThreatDefense/NotifyPasswordReuse
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:notify-password-reuse-is-enabled, cis_safeguard_ids:CIS76.1.2
@@ -6553,7 +6553,7 @@
Smart Screen\Enhanced Phishing Protection\Notify Password Reuse'
- platform: windows
- name: CIS - Ensure 'Notify Unsafe App' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Notify Unsafe App' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WebThreatDefense/NotifyUnsafeApp
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:notify-unsafe-app-is-enabled, cis_safeguard_ids:CIS76.1.3
@@ -6575,7 +6575,7 @@
Smart Screen\Enhanced Phishing Protection\Notify Unsafe App'
- platform: windows
- name: CIS - Ensure 'Service Enabled' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Service Enabled' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components\ServiceEnabled' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS76.1.4
@@ -6599,7 +6599,7 @@
Smart Screen\Enhanced Phishing Protection\Service Enabled'
- platform: windows
- name: CIS - Ensure 'Enable Sudo' is set to 'Sudo is disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Sudo' is set to 'Sudo is disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Sudo/EnableSudo
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-sudo-is-sudo-is-disabled, cis_safeguard_ids:CIS79.1
@@ -6617,7 +6617,7 @@
Sudo\Enable Sudo'
- platform: windows
- name: CIS - Ensure 'Allow Telemetry' is set to 'Basic'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Telemetry' is set to 'Basic'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/System/AllowTelemetry
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-telemetry-is-basic, cis_safeguard_ids:CIS80.3
@@ -6655,7 +6655,7 @@
System\Allow Telemetry'
- platform: windows
- name: CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\EnableOneSettingsAuditing' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-onesettings-auditing-is-enabled, cis_safeguard_ids:CIS80.6
@@ -6671,7 +6671,7 @@
System\Enable OneSettings Auditing'
- platform: windows
- name: CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/System/LimitDiagnosticLogCollection
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:limit-diagnostic-log-collection-is-enabled, cis_safeguard_ids:CIS80.7
@@ -6695,7 +6695,7 @@
System\Limit Diagnostic Log Collection'
- platform: windows
- name: CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/System/LimitDumpCollection
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:limit-dump-collection-is-enabled, cis_safeguard_ids:CIS80.8
@@ -6719,7 +6719,7 @@
System\Limit Dump Collection'
- platform: windows
- name: CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'Browser'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.3
@@ -6801,7 +6801,7 @@
Datagram Receiver Driver. Using the literal registry path above avoids that error.'
- platform: windows
- name: CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM services WHERE name = 'IISADMIN') OR EXISTS (SELECT 1 FROM services WHERE name = 'IISADMIN' AND start_type = 'DISABLED');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.7
@@ -6866,7 +6866,7 @@
Set-Service -Name IISADMIN -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'irmon'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.8
@@ -6917,7 +6917,7 @@
Set-Service -Name irmon -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM services WHERE name = 'LxssManager') OR EXISTS (SELECT 1 FROM services WHERE name = 'LxssManager' AND start_type = 'DISABLED');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.10
@@ -6972,7 +6972,7 @@
Set-Service -Name LxssManager -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'FTPSVC'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.11
@@ -7025,7 +7025,7 @@
Set-Service -Name FTPSVC -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'sshd'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.13
@@ -7049,7 +7049,7 @@
Set-Service -Name sshd -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'RpcLocator'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:remote-procedure-call-rpc-locator-rpclocator-is-disabled, cis_safeguard_ids:CIS81.20
@@ -7104,7 +7104,7 @@
Set-Service -Name RpcLocator -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'RemoteAccess'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:routing-and-remote-access-remoteaccess-is-disabled, cis_safeguard_ids:CIS81.22
@@ -7153,7 +7153,7 @@
Set-Service -Name RemoteAccess -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'simptcp'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.24
@@ -7210,7 +7210,7 @@
Set-Service -Name simptcp -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'sacsvr'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.26
@@ -7267,7 +7267,7 @@
Set-Service -Name sacsvr -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'SSDPSRV'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:ssdp-discovery-ssdpsrv-is-disabled, cis_safeguard_ids:CIS81.27
@@ -7320,7 +7320,7 @@
Set-Service -Name SSDPSRV -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'upnphost'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:upnp-device-host-upnphost-is-disabled, cis_safeguard_ids:CIS81.28
@@ -7369,7 +7369,7 @@
Set-Service -Name upnphost -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'WMSvc'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.29
@@ -7428,7 +7428,7 @@
Set-Service -Name WMSvc -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'WMPNetworkSvc'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.32
@@ -7479,7 +7479,7 @@
Set-Service -Name WMPNetworkSvc -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'icssvc'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:windows-mobile-hotspot-service-icssvc-is-disabled, cis_safeguard_ids:CIS81.33
@@ -7528,7 +7528,7 @@
Set-Service -Name icssvc -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'W3SVC'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.38
@@ -7595,7 +7595,7 @@
Set-Service -Name W3SVC -StartupType Disabled'
- platform: windows
- name: CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XboxGipSvc'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-accessory-management-service-xboxgipsvc-is-disabled, cis_safeguard_ids:CIS81.39
@@ -7609,7 +7609,7 @@
System Services\Xbox Accessory Management Service'
- platform: windows
- name: CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XblAuthManager'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-live-auth-manager-xblauthmanager-is-disabled, cis_safeguard_ids:CIS81.40
@@ -7623,7 +7623,7 @@
System Services\Xbox Live Auth Manager'
- platform: windows
- name: CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XblGameSave'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-live-game-save-xblgamesave-is-disabled, cis_safeguard_ids:CIS81.41
@@ -7637,7 +7637,7 @@
System Services\Xbox Live Game Save'
- platform: windows
- name: CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XboxNetApiSvc'), 'DISABLED') = 'DISABLED';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-live-networking-service-xboxnetapisvc-is-disabled, cis_safeguard_ids:CIS81.42
@@ -7653,7 +7653,7 @@
System Services\Xbox Live Networking Service'
- platform: windows
- name: CIS - Ensure 'Access Credential Manager As Trusted Caller' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Access Credential Manager As Trusted Caller' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/AccessCredentialManagerAsTrustedCaller
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.1
@@ -7680,7 +7680,7 @@
the system.'
- platform: windows
- name: CIS - Ensure 'Access From Network' is set to 'Administrators, Remote Desktop Users'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Access From Network' is set to 'Administrators, Remote Desktop Users'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/AccessFromNetwork
' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%Remote Desktop Users%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.2
@@ -7721,7 +7721,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Act As Part Of The Operating System' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Act As Part Of The Operating System' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ActAsPartOfTheOperatingSystem
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.3
@@ -7748,7 +7748,7 @@
properly.'
- platform: windows
- name: CIS - Ensure 'Allow Local Log On' is set to 'Administrators, Users'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Local Log On' is set to 'Administrators, Users'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/AllowLocalLogOn
' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%Users%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.4
@@ -7785,7 +7785,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Backup Files And Directories' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Backup Files And Directories' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/BackupFilesAndDirectories
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.5
@@ -7814,7 +7814,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Change System Time' is set to 'Administrators, LOCAL SERVICE'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Change System Time' is set to 'Administrators, LOCAL SERVICE'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ChangeSystemTime
' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%LOCAL SERVICE%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.6
@@ -7857,7 +7857,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Create Global Objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Create Global Objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/CreateGlobalObjects
' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%' AND mdm_command_output LIKE '%SERVICE%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.7
@@ -7890,7 +7890,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Create Page File' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Create Page File' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/CreatePageFile
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.8
@@ -7913,7 +7913,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Create Permanent Shared Objects' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Create Permanent Shared Objects' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/CreatePermanentSharedObjects
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.9
@@ -7940,7 +7940,7 @@
properly.'
- platform: windows
- name: CIS - Ensure 'Create Symbolic Links' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Create Symbolic Links' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/CreateSymbolicLinks
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.10
@@ -7987,7 +7987,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Create Token' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Create Token' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/CreateToken
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.11
@@ -8014,7 +8014,7 @@
properly.'
- platform: windows
- name: CIS - Ensure 'Debug Programs' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Debug Programs' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/DebugPrograms
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.12
@@ -8043,7 +8043,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Deny Access From Network' to include 'Guests, Local account'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Deny Access From Network' to include 'Guests, Local account'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/DenyAccessFromNetwork
' AND (mdm_command_output LIKE '%Guests%' AND mdm_command_output LIKE '%Local account%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.13
@@ -8082,7 +8082,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Deny Local Log On' to include 'Guests'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Deny Local Log On' to include 'Guests'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLocalLogOn
' AND mdm_command_output LIKE '%Guests%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.14
@@ -8113,7 +8113,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Deny Log On As Batch Job' to include 'Guests'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Deny Log On As Batch Job' to include 'Guests'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLogOnAsBatchJob
' AND mdm_command_output LIKE '%Guests%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.15
@@ -8139,7 +8139,7 @@
User Rights\Deny Log On As Batch Job'
- platform: windows
- name: CIS - Ensure 'Deny Log On As Service Job' to include 'Guests'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Deny Log On As Service Job' to include 'Guests'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLogOnAsService
' AND mdm_command_output LIKE '%Guests%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.16
@@ -8161,7 +8161,7 @@
User Rights\Deny Log On As Service Job'
- platform: windows
- name: CIS - Ensure 'Deny Remote Desktop Services Log On' to include 'Guests, Local account'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Deny Remote Desktop Services Log On' to include 'Guests, Local account'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/DenyRemoteDesktopServicesLogOn
' AND (mdm_command_output LIKE '%Guests%' AND mdm_command_output LIKE '%Local account%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.17
@@ -8212,7 +8212,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Enable Delegation' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable Delegation' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/EnableDelegation
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.18
@@ -8241,7 +8241,7 @@
properly.'
- platform: windows
- name: CIS - Ensure 'Generate Security Audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Generate Security Audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/GenerateSecurityAudits
' AND (mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.19
@@ -8268,7 +8268,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Impersonate Client' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Impersonate Client' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ImpersonateClient
' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%' AND mdm_command_output LIKE '%SERVICE%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.20
@@ -8337,7 +8337,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Increase Scheduling Priority' is set to 'Administrators, Window Manager\Window Manager Group'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Increase Scheduling Priority' is set to 'Administrators, Window Manager\\Window Manager Group'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/IncreaseSchedulingPriority
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.21
@@ -8366,7 +8366,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Load Unload Device Drivers' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Load Unload Device Drivers' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/LoadUnloadDeviceDrivers
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.22
@@ -8393,7 +8393,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Lock Memory' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Lock Memory' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/LockMemory
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.23
@@ -8420,7 +8420,7 @@
properly.'
- platform: windows
- name: CIS - Ensure 'Manage auditing and security log' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Manage auditing and security log' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ManageAuditingAndSecurityLog
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.25
@@ -8443,7 +8443,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Manage Volume' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Manage Volume' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ManageVolume
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.26
@@ -8472,7 +8472,7 @@
\'
- platform: windows
- name: CIS - Ensure 'Modify Firmware Environment' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Modify Firmware Environment' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ModifyFirmwareEnvironment
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.27
@@ -8499,7 +8499,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Modify Object Label' is set to 'No One'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Modify Object Label' is set to 'No One'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ModifyObjectLabel
' AND mdm_command_output = '';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.28
@@ -8528,7 +8528,7 @@
properly.'
- platform: windows
- name: CIS - Ensure 'Profile Single Process' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Profile Single Process' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ProfileSingleProcess
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.29
@@ -8559,7 +8559,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Profile System Performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Profile System Performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ProfileSystemPerformance
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.30
@@ -8581,7 +8581,7 @@
User Rights\Profile System Performance'
- platform: windows
- name: CIS - Ensure 'Remote Shutdown' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Remote Shutdown' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/RemoteShutdown
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.31
@@ -8608,7 +8608,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Replace Process Level Token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Replace Process Level Token' is set to 'LOCAL SERVICE, NETWORK SERVICE'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ReplaceProcessLevelToken
' AND (mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.32
@@ -8632,7 +8632,7 @@
User Rights\Replace Process Level Token'
- platform: windows
- name: CIS - Ensure 'Restore Files And Directories' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Restore Files And Directories' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/RestoreFilesAndDirectories
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.33
@@ -8661,7 +8661,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Shut Down The System' is set to 'Administrators, Users'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Shut Down The System' is set to 'Administrators, Users'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/ShutDownTheSystem
' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%Users%');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.34
@@ -8681,7 +8681,7 @@
User Rights\Shut Down The System'
- platform: windows
- name: CIS - Ensure 'Take Ownership' is set to 'Administrators'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Take Ownership' is set to 'Administrators'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/UserRights/TakeOwnership
' AND mdm_command_output LIKE '%Administrators%';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.35
@@ -8706,7 +8706,7 @@
screen.'
- platform: windows
- name: CIS - Ensure 'Hypervisor Enforced Code Integrity' is set to 'Enabled with UEFI lock'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Hypervisor Enforced Code Integrity' is set to 'Enabled with UEFI lock'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:hypervisor-enforced-code-integrity-is-enabled-with-uefi-lock, cis_safeguard_ids:CIS90.1
@@ -8742,7 +8742,7 @@
Virtualization Based Technology\Hypervisor Enforced Code Integrity'
- platform: windows
- name: CIS - Ensure 'Require UEFI Memory Attributes Table' is set to 'Require UEFI Memory Attributes Table'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Require UEFI Memory Attributes Table' is set to 'Require UEFI Memory Attributes Table'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:require-uefi-memory-attributes-table-is-require-uefi-memory-attributes-table, cis_safeguard_ids:CIS90.2
@@ -8784,7 +8784,7 @@
Virtualization Based Technology\Require UEFI Memory Attributes Table'
- platform: windows
- name: CIS - Ensure 'Allow Auto Connect To Wi Fi Sense Hotspots' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Auto Connect To Wi Fi Sense Hotspots' is set to 'Block'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Wifi/AllowAutoConnectToWiFiSenseHotspots
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-auto-connect-to-wi-fi-sense-hotspots-is-block, cis_safeguard_ids:CIS93.1
@@ -8830,7 +8830,7 @@
Wi-Fi Settings\Allow Auto Connect To Wi Fi Sense Hotspots'
- platform: windows
- name: CIS - Ensure 'Allow widgets' is set to 'Not allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow widgets' is set to 'Not allowed'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/NewsAndInterests/AllowNewsAndInterests
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-widgets-is-not-allowed, cis_safeguard_ids:CIS94.1
@@ -8848,7 +8848,7 @@
Widgets\Allow widgets'
- platform: windows
- name: CIS - Ensure 'Disallow Exploit Protection Override' is set to '(Enable)'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Disallow Exploit Protection Override' is set to '(Enable)'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
' AND mdm_command_output = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:disallow-exploit-protection-override-is-enable, cis_safeguard_ids:CIS96.1
@@ -8864,7 +8864,7 @@
Windows Defender Security Center\Disallow Exploit Protection Override'
- platform: windows
- name: CIS - Ensure 'Enable ESS with Supported Peripherals' is set to 'Enhanced sign-in security will be enabled…'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Enable ESS with Supported Peripherals' is set to 'Enhanced sign-in security will be enabled…'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\Biometrics\EnableESSwithSupportedPeripherals' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-ess-with-supported-peripherals-is-enhanced-sign-in-security-will-be-enabled, cis_safeguard_ids:CIS97.1
@@ -8890,7 +8890,7 @@
Windows Hello For Business\Enable ESS with Supported Peripherals'
- platform: windows
- name: CIS - Ensure 'Facial Features Use Enhanced Anti Spoofing' is set to 'true'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Facial Features Use Enhanced Anti Spoofing' is set to 'true'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing
' AND mdm_command_output = 'true';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:facial-features-use-enhanced-anti-spoofing-is-true, cis_safeguard_ids:CIS97.2
@@ -8906,7 +8906,7 @@
Windows Hello For Business\Facial Features Use Enhanced Anti Spoofing'
- platform: windows
- name: CIS - Ensure 'Minimum PIN Length' is set to '6 more character(s)'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Minimum PIN Length' is set to '6 more character(s)'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\%\Device\Policies\PINComplexity\MinimumPINLength' AND CAST(data AS INTEGER) >= 6;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:minimum-pin-length-is-6-more-characters, cis_safeguard_ids:CIS97.3
@@ -8926,7 +8926,7 @@
Windows Hello For Business\Minimum PIN Length'
- platform: windows
- name: CIS - Ensure 'Require Security Device' is set to 'true'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Require Security Device' is set to 'true'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\%\Device\Policies\RequireSecurityDevice' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:require-security-device-is-true, cis_safeguard_ids:CIS97.4
@@ -8958,7 +8958,7 @@
Windows Hello For Business\Require Security Device'
- platform: windows
- name: 'CIS - Ensure ''Allow Windows Ink Workspace'' is set to ''Enabled: but the user can''t access it above the lock screen'' OR ''Disabled'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: but the user can't access it above the lock screen' OR 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\WindowsInkWorkspace\AllowWindowsInkWorkspace' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS98.2
@@ -8982,7 +8982,7 @@
Windows Ink Workspace\Allow Windows Ink Workspace'
- platform: windows
- name: CIS - Ensure 'Allow Clipboard Redirection' is set to 'Not allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Clipboard Redirection' is set to 'Not allowed'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableClip' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-clipboard-redirection-is-not-allowed, cis_safeguard_ids:CIS101.1
@@ -9002,7 +9002,7 @@
Windows Sandbox\Allow Clipboard Redirection'
- platform: windows
- name: CIS - Ensure 'Allow Networking' is set to 'Not allowed'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Networking' is set to 'Not allowed'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\WindowsSandbox\AllowNetworking' AND data = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-networking-is-not-allowed, cis_safeguard_ids:CIS101.2
@@ -9026,7 +9026,7 @@
Windows Sandbox\Allow Networking'
- platform: windows
- name: CIS - Ensure 'Allow Auto Update' is set to 'Enabled'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Allow Auto Update' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update\AllowAutoUpdate' AND data IN ('1', '2', '3', '4');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-auto-update-is-enabled, cis_safeguard_ids:CIS103.1
@@ -9090,7 +9090,7 @@
Windows Update For Business\Allow Auto Update'
- platform: windows
- name: 'CIS - Ensure ''Defer Feature Updates Period in Days'' is set to ''Enabled: 180 or more days'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Defer Feature Updates Period in Days' is set to 'Enabled: 180 or more days'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Update/DeferFeatureUpdatesPeriodInDays
' AND CAST(mdm_command_output AS INTEGER) >= 180;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:defer-feature-updates-period-in-days-is-enabled-180-or-more-days, cis_safeguard_ids:CIS103.2
@@ -9162,7 +9162,7 @@
Windows Update for Business\Defer Feature Updates Period in Days'
- platform: windows
- name: 'CIS - Ensure ''Defer Quality Updates Period (Days)'' is set to ''Enabled: 0 days'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Defer Quality Updates Period (Days)' is set to 'Enabled: 0 days'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Update/DeferQualityUpdatesPeriodInDays
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:defer-quality-updates-period-days-is-enabled-0-days, cis_safeguard_ids:CIS103.3
@@ -9205,7 +9205,7 @@
Windows Update for Business\Defer Quality Updates Period (Days)'
- platform: windows
- name: CIS - Ensure 'Manage preview builds' is set to 'Disable Preview builds'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Manage preview builds' is set to 'Disable Preview builds'"
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Update/ManagePreviewBuilds
' AND mdm_command_output IN ('1', '3')) OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds' AND data = '1');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:manage-preview-builds-is-disable-preview-builds, cis_safeguard_ids:CIS103.4
@@ -9251,7 +9251,7 @@
Windows Update For Business\Manage preview builds'
- platform: windows
- name: CIS - Ensure 'Scheduled Install Day' is set to 'Every day'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Scheduled Install Day' is set to 'Every day'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Update/ScheduledInstallDay
' AND mdm_command_output = '0';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:scheduled-install-day-is-every-day, cis_safeguard_ids:CIS103.5
@@ -9273,7 +9273,7 @@
Windows Update For Business\Scheduled Install Day'
- platform: windows
- name: CIS - Ensure 'Block "Pause Updates" ability' is set to 'Block'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Block \"Pause Updates\" ability' is set to 'Block'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update\SetDisablePauseUXAccess' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:block-pause-updates-ability-is-block, cis_safeguard_ids:CIS103.6
@@ -9285,7 +9285,7 @@
Windows Update For Business\Block "Pause Updates" ability'
- platform: windows
- name: 'CIS - Ensure ''Require PIN For Pairing'' is set to ''Enabled: Pairing ceremony for new devices will always require a PIN'' OR ''All pairings will require PIN'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Require PIN For Pairing' is set to 'Enabled: Pairing ceremony for new devices will always require a PIN' OR 'All pairings will require PIN'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WirelessDisplay/RequirePinForPairing
' AND mdm_command_output IN ('1', '2');
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS104.1
@@ -9305,7 +9305,7 @@
Administrative Templates\Network\Wireless Display\Require pin pairing'
- platform: windows
- name: CIS - Ensure 'Backup Directory' is set to 'Backup the password to Azure AD only'
+ name: "[Win 11 Intune L1] CIS - Ensure 'Backup Directory' is set to 'Backup the password to Azure AD only'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config\BackupDirectory' AND data = '1';
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:backup-directory-is-backup-the-password-to-azure-ad-only, cis_safeguard_ids:CIS105.1
@@ -9367,7 +9367,7 @@
3. Set Backup Directory to Backup the password to Azure AD only.'
- platform: windows
- name: 'CIS - Ensure ''Password Age Days'' is set to ''Configured: 30 or fewer'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Password Age Days' is set to 'Configured: 30 or fewer'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_AdmPwd/POL_AdmPwd
' AND mdm_command_output LIKE '%= 1;
# purpose: Informational
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:password-complexity-is-large-letters-small-letters-numbers-special-characters, cis_safeguard_ids:CIS105.3
@@ -9461,7 +9461,7 @@
+ special characters.'
- platform: windows
- name: 'CIS - Ensure ''Password Length'' is set to ''Configured: 15 or more'''
+ name: "[Win 11 Intune L1] CIS - Ensure 'Password Length' is set to 'Configured: 15 or more'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_AdmPwd/POL_AdmPwd
' AND mdm_command_output LIKE '%404%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-interactive-logon-message-text-for-users-attemptin
@@ -9656,7 +9656,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to a value that is consistent with the security and operational requirements of your organization: Local Policies Security Options\Interactive logon: Message text for users attempting to log on'
- platform: windows
- name: 'CIS - Configure ''Interactive logon: Message title for users attempting to log on'''
+ name: "[Win 11 Intune L1] CIS - Configure 'Interactive logon: Message title for users attempting to log on'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
' AND mdm_command_output != '' AND mdm_command_output NOT LIKE '%404%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-interactive-logon-message-title-for-users-attempti
diff --git a/docs/solutions/cis/win-11-intune/policies/l2_win11_intune.yml b/docs/solutions/cis/win-11-intune/policies/l2_win11_intune.yml
index f56f128b96..3308e38b15 100644
--- a/docs/solutions/cis/win-11-intune/policies/l2_win11_intune.yml
+++ b/docs/solutions/cis/win-11-intune/policies/l2_win11_intune.yml
@@ -3,7 +3,7 @@
# Affected fields: purpose, tags, contributors, platforms
- platform: windows
- name: 'CIS - Ensure ''MSS: (DisableSavePassword) Prevent the dialup password from being saved (recommended)'' is set to ''Enabled'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'MSS: (DisableSavePassword) Prevent the dialup password from being saved (recommended)' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\DisableSavePassword' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.4
@@ -11,7 +11,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\MSS (Legacy)\MSS:(DisableSavePassword) Prevent the dial-up password from being saved (recommended)
- platform: windows
- name: 'CIS - Ensure ''MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'' is set to ''Enabled: 300,000 or 5 minutes (recommended)'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime' AND CAST(data AS INTEGER) <= 300000;
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.6
@@ -19,7 +19,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 300,000 or 5 minutes (recommended). Administrative Templates\MSS (Legacy)\MSS: (KeepAliveTime) How often keepalive packets are sent in milliseconds'
- platform: windows
- name: 'CIS - Ensure ''MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'' is set to ''Disabled'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery' AND data = '0';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.8
@@ -27,7 +27,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\MSS (Legacy)\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'
- platform: windows
- name: 'CIS - Ensure ''MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted'' is set to ''Enabled: 3'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\TcpMaxDataRetransmissions' AND CAST(data AS INTEGER) <= 3;
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.11
@@ -35,7 +35,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 3. Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted'
- platform: windows
- name: 'CIS - Ensure ''MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted'' is set to ''Enabled: 3'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions' AND CAST(data AS INTEGER) <= 3;
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.12
@@ -43,7 +43,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 3. Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted'
- platform: windows
- name: CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'LLTDIO'), 'DISABLED') = 'DISABLED';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.8.1
@@ -51,7 +51,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver
- platform: windows
- name: CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'"
query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'RSPNDR'), 'DISABLED') = 'DISABLED';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.8.2
@@ -59,7 +59,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder
- platform: windows
- name: CIS - Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_WindowsConnectNow/WCN_EnableRegistrar
' AND mdm_command_output LIKE '%Disabled%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.17.1
@@ -67,7 +67,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now
- platform: windows
- name: CIS - Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_WindowsConnectNow/WCN_DisableWcnUi_2
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.17.2
@@ -75,7 +75,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Network\Windows Connect Now\Prohibit access of the Windows Connect Now wizards
- platform: windows
- name: CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\ApplicationManagement\DisableStoreOriginatedApps' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.1
@@ -83,7 +83,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to the Store
- platform: windows
- name: CIS - Ensure 'Turn off Help Experience Improvement Program (User)' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off Help Experience Improvement Program (User)' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0\NoImplicitFeedback' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.3
@@ -91,7 +91,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Experience Improvement Program
- platform: windows
- name: CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/NC_ExitOnISP
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.4
@@ -99,7 +99,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
- platform: windows
- name: CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/Connectivity/DiablePrintingOverHTTP
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.7
@@ -115,7 +115,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com
- platform: windows
- name: CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/SearchCompanion_DisableFileUpdates
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.9
@@ -131,7 +131,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
- platform: windows
- name: CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/ShellRemovePublishToWeb_2
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.10
@@ -139,7 +139,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders
- platform: windows
- name: CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/WinMSG_NoInstrumentation_2
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.11
@@ -147,7 +147,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program
- platform: windows
- name: CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/CEIPEnable
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.40.5.1
@@ -187,7 +187,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider'
- platform: windows
- name: CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_AppxRuntime/AppxRuntimeBlockHostedAppAccessWinRT
' AND mdm_command_output LIKE '%Enabled%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.3.2
@@ -195,7 +195,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\App runtime\Block launching Universal Windows apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied.'
- platform: windows
- name: CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_MicrosoftDefenderAntivirus/SpynetReporting
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.28.3.2
@@ -204,7 +204,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS
- platform: windows
- name: CIS - Ensure 'Configure Watson events' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Configure Watson events' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Disabled' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.28.10.1
@@ -212,7 +212,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Windows Components\Microsoft Defender Antivirus\Reporting\Configure Watson events
- platform: windows
- name: CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/DisableStoreOriginatedApps
' AND mdm_command_output = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.35.1
@@ -220,7 +220,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Push to Install\Turn off Push To Install service
- platform: windows
- name: CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.2.1
@@ -228,7 +228,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services
- platform: windows
- name: CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCcm' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.1
@@ -236,7 +236,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow COM port redirection
- platform: windows
- name: CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableLPT' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.3
@@ -244,7 +244,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow LPT port redirection
- platform: windows
- name: CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisablePNPRedir' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.4
@@ -252,7 +252,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow supported Plug and Play device redirection
- platform: windows
- name: 'CIS - Ensure ''Restrict clipboard transfer from server to client'' is set to ''Enabled: Disable clipboard transfers from server to client'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'"
query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableClip' AND data = '1';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.5
@@ -260,7 +260,7 @@
resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Disable clipboard transfers from server to client. Administrative Templates\Windows Components\Remote Desktop Session Host\Device and Resource Redirection\Restrict clipboard transfer from server to client'
- platform: windows
- name: 'CIS - Ensure ''Set time limit for active but idle Remote Desktop Services sessions'' is set to ''Enabled: 15 minutes or less, but not Never (0)'''
+ name: "[Win 11 Intune L2] CIS - Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.42.2
@@ -284,7 +284,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Store\Turn off the Store application
- platform: windows
- name: CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'"
query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/ADMX_MSI/SafeForScripting
' AND mdm_command_output LIKE '%%';
# purpose: Enforcement
# tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.54.1
@@ -308,7 +308,7 @@
resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Script Block Logging
- platform: windows
- name: CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'
+ name: "[Win 11 Intune L2] CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'"
query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1- ./Device/Vendor/MSFT/Policy/Result/WindowsPowerShell/TurnOnPowerShellTranscription
' AND mdm_command_output LIKE '%
- CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -1379,7 +1379,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1398,7 +1398,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1416,7 +1416,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1433,7 +1433,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -1449,7 +1449,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
+ [Win 11] CIS - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
# platforms: win11
platform: windows
description: |
@@ -1466,7 +1466,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Remotely accessible registry paths' is configured
+ [Win 11] CIS - Ensure 'Network access: Remotely accessible registry paths' is configured
# platforms: win11
platform: windows
description: |
@@ -1486,7 +1486,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured
+ [Win 11] CIS - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured
# platforms: win11
platform: windows
description: |
@@ -1514,7 +1514,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1536,7 +1536,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
+ [Win 11] CIS - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
# platforms: win11
platform: windows
description: |
@@ -1552,7 +1552,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
+ [Win 11] CIS - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
# platforms: win11
platform: windows
description: |
@@ -1570,7 +1570,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
+ [Win 11] CIS - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
# platforms: win11
platform: windows
description: |
@@ -1589,7 +1589,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: rachelelysia
-- name: CIS - Ensure 'Network security Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Network security Allow Local System to use computer identity for NTLM' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -1604,7 +1604,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Allow LocalSystem NULL session fallback' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Network security Allow LocalSystem NULL session fallback' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -1619,7 +1619,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network Security Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Network Security Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -1634,7 +1634,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+- name: "[Win 11] CIS - Ensure 'Network security Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
# platforms: win11
platform: windows
description: |
@@ -1649,7 +1649,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Network security Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -1669,7 +1669,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher
+ [Win 11] CIS - Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher
# platforms: win11
platform: windows
description: |
@@ -1686,7 +1686,7 @@
# purpose: Informational
# tags: compliance, CIS, CIS_Level1
-- name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -1703,7 +1703,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+- name: "[Win 11] CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'"
# platforms: win11
platform: windows
description: |
@@ -1722,7 +1722,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Network security LDAP client signing requirements' is set to 'Negotiate signing or higher'
+- name: "[Win 11] CIS - Ensure 'Network security LDAP client signing requirements' is set to 'Negotiate signing or higher'"
# platforms: win11
platform: windows
description: |
@@ -1737,7 +1737,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'System cryptography Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used or higher'
+- name: "[Win 11] CIS - Ensure 'System cryptography Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used or higher'"
# platforms: win11
platform: windows
description: |
@@ -1752,7 +1752,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'System objects Require case insensitivity for non Windows subsystems' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'System objects Require case insensitivity for non Windows subsystems' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -1774,7 +1774,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -1794,7 +1794,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1810,7 +1810,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
+ [Win 11] CIS - Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
# platforms: win11
platform: windows
description: |
@@ -1826,7 +1826,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
+ [Win 11] CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
# platforms: win11
platform: windows
description: |
@@ -1842,7 +1842,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1858,7 +1858,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1876,7 +1876,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1892,7 +1892,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1908,7 +1908,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -1927,7 +1927,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: rachelelysia
-- name: CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -1943,7 +1943,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -1959,7 +1959,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -1979,7 +1979,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -1995,7 +1995,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -2010,7 +2010,7 @@
# purpose: Informational
# tags: compliance, CIS, CIS_Level2
-- name: CIS - Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2026,7 +2026,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2048,7 +2048,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2067,7 +2067,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2083,7 +2083,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2103,7 +2103,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2123,7 +2123,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2139,7 +2139,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2159,7 +2159,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2175,7 +2175,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2191,7 +2191,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2207,7 +2207,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2223,7 +2223,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2239,7 +2239,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: sharon-fdm
-- name: CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2254,7 +2254,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2271,7 +2271,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2286,7 +2286,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2301,7 +2301,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Server (LanmanServer)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Server (LanmanServer)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2316,7 +2316,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2335,7 +2335,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2354,7 +2354,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2373,7 +2373,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2389,7 +2389,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2404,7 +2404,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2423,7 +2423,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2440,7 +2440,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2457,7 +2457,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2476,7 +2476,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2491,7 +2491,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2506,7 +2506,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2521,7 +2521,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Windows Remote Management (WSManagement) (WinRM)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Windows Remote Management (WSManagement) (WinRM)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2539,7 +2539,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -2555,7 +2555,7 @@
# purpose: Informational
# tags: compliance, CIS, CIS_Level2
-- name: CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or to 'Not Installed'
+- name: "[Win 11] CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or to 'Not Installed'"
# platforms: win11
platform: windows
description: |
@@ -2574,7 +2574,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2589,7 +2589,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2604,7 +2604,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2619,7 +2619,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -2635,7 +2635,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
# platforms: win11
platform: windows
description: |
@@ -2651,7 +2651,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
+ [Win 11] CIS - Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
# platforms: win11
platform: windows
description: |
@@ -2668,7 +2668,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
+ [Win 11] CIS - Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
# platforms: win11
platform: windows
description: |
@@ -2685,7 +2685,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable Certificate Padding' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable Certificate Padding' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -2701,7 +2701,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Automatic Data Collection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Automatic Data Collection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -2717,7 +2717,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable optional updates' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable optional updates' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -2733,7 +2733,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
+ [Win 11] CIS - Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'
# platforms: win11
platform: windows
description: |
@@ -2749,7 +2749,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher
+ [Win 11] CIS - Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher
# platforms: win11
platform: windows
description: |
@@ -2766,7 +2766,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Remove Personalized Website Recommendations from the Recommended section in the Start Menu' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Remove Personalized Website Recommendations from the Recommended section in the Start Menu' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -2782,7 +2782,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
+ [Win 11] CIS - Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'
# platforms: win11
platform: windows
description: |
@@ -2802,7 +2802,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable password encryption' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable password encryption' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -2822,7 +2822,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
+ [Win 11] CIS - Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'
# platforms: win11
platform: windows
description: |
@@ -2841,7 +2841,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher
+ [Win 11] CIS - Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher
# platforms: win11
platform: windows
description: |
@@ -2864,7 +2864,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure Scan packed executables' is set to 'Enabled'
+ [Win 11] CIS - Ensure Scan packed executables' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -2880,7 +2880,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -2896,7 +2896,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
# platforms: win11
platform: windows
description: |
@@ -2912,7 +2912,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
# platforms: win11
platform: windows
description: |
@@ -2928,7 +2928,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
# platforms: win11
platform: windows
description: |
@@ -2944,7 +2944,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
# platforms: win11
platform: windows
description: |
@@ -2960,7 +2960,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
# platforms: win11
platform: windows
description: |
@@ -2976,7 +2976,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+ [Win 11] CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
# platforms: win11
platform: windows
description: |
@@ -2992,7 +2992,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
# platforms: win11
platform: windows
description: |
@@ -3008,7 +3008,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
# platforms: win11
platform: windows
description: |
@@ -3024,7 +3024,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
# platforms: win11
platform: windows
description: |
@@ -3040,7 +3040,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
# platforms: win11
platform: windows
description: |
@@ -3056,7 +3056,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
# platforms: win11
platform: windows
description: |
@@ -3072,7 +3072,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
# platforms: win11
platform: windows
description: |
@@ -3088,7 +3088,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
+ [Win 11] CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
# platforms: win11
platform: windows
description: |
@@ -3104,7 +3104,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
# platforms: win11
platform: windows
description: |
@@ -3120,7 +3120,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
# platforms: win11
platform: windows
description: |
@@ -3136,7 +3136,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
# platforms: win11
platform: windows
description: |
@@ -3152,7 +3152,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
# platforms: win11
platform: windows
description: |
@@ -3168,7 +3168,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
# platforms: win11
platform: windows
description: |
@@ -3184,7 +3184,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
# platforms: win11
platform: windows
description: |
@@ -3200,7 +3200,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'
# platforms: win11
platform: windows
description: |
@@ -3216,7 +3216,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
# platforms: win11
platform: windows
description: |
@@ -3234,7 +3234,7 @@
# contributors: RachelElysia
- name: >
- CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
+ [Win 11] CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
# platforms: win11
platform: windows
description: |
@@ -3249,7 +3249,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: RachelElysia
-- name: CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3267,7 +3267,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit Application Group Management' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Application Group Management' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3285,7 +3285,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit Security Group Management' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Security Group Management' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3303,7 +3303,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit PNP Activity' is set to 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit PNP Activity' is set to 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3322,7 +3322,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit PNP Activity' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit PNP Activity' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3342,7 +3342,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: artemist-work
-- name: CIS - Ensure 'Audit Process Creation' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Process Creation' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3361,7 +3361,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Audit Account Lockout' is set to include 'Failure'
+ [Win 11] CIS - Ensure 'Audit Account Lockout' is set to include 'Failure'
# platforms: win11
platform: windows
description: |
@@ -3377,7 +3377,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Group Membership' is set to include 'Success'
+ [Win 11] CIS - Ensure 'Audit Group Membership' is set to include 'Success'
# platforms: win11
platform: windows
description: |
@@ -3392,7 +3392,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Logoff' is set to include 'Success'
+ [Win 11] CIS - Ensure 'Audit Logoff' is set to include 'Success'
# platforms: win11
platform: windows
description: |
@@ -3409,7 +3409,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Logon' is set to 'Success and Failure'
+ [Win 11] CIS - Ensure 'Audit Logon' is set to 'Success and Failure'
# platforms: win11
platform: windows
description: |
@@ -3428,7 +3428,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
+ [Win 11] CIS - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
# platforms: win11
platform: windows
description: |
@@ -3453,7 +3453,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Audit Special Logon' is set to include 'Success'
+ [Win 11] CIS - Ensure 'Audit Special Logon' is set to include 'Success'
# platforms: win11
platform: windows
description: |
@@ -3468,7 +3468,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Audit Detailed File Share' is set to include 'Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Detailed File Share' is set to include 'Failure'"
# platforms: win11
platform: windows
description: |
@@ -3486,7 +3486,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit File Share' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit File Share' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3503,7 +3503,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3530,7 +3530,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Removable Storage' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3547,7 +3547,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Audit Policy Change' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Audit Policy Change' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3573,7 +3573,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3601,7 +3601,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3623,7 +3623,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3654,7 +3654,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3688,7 +3688,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3716,7 +3716,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Other System Events' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Other System Events' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3746,7 +3746,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Security State Change' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Security State Change' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3768,7 +3768,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Security System Extension' is set to include 'Success'
+- name: "[Win 11] CIS - Ensure 'Audit Security System Extension' is set to include 'Success'"
# platforms: win11
platform: windows
description: |
@@ -3790,7 +3790,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit System Integrity' is set to 'Success and Failure'
+- name: "[Win 11] CIS - Ensure 'Audit System Integrity' is set to 'Success and Failure'"
# platforms: win11
platform: windows
description: |
@@ -3817,7 +3817,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: sharon-fdm
-- name: CIS - Ensure 'Audit Other Policy Change Events' is set to include 'Failure'
+- name: "[Win 11] CIS - Ensure 'Audit Other Policy Change Events' is set to include 'Failure'"
# platforms: win11
platform: windows
description: |
@@ -3845,7 +3845,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -3861,7 +3861,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -3877,7 +3877,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -3893,7 +3893,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Online Tips' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Online Tips' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -3909,7 +3909,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure LAPS AdmPwd GPO Extension / CSE is installed
+ [Win 11] CIS - Ensure LAPS AdmPwd GPO Extension / CSE is installed
# platforms: win11
platform: windows
description: |
@@ -3928,7 +3928,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -3947,7 +3947,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
+ [Win 11] CIS - Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
# platforms: win11
platform: windows
description: |
@@ -3965,7 +3965,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
+ [Win 11] CIS - Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
# platforms: win11
platform: windows
description: |
@@ -3983,7 +3983,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
+ [Win 11] CIS - Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
# platforms: win11
platform: windows
description: |
@@ -4002,7 +4002,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4022,7 +4022,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
+ [Win 11] CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
# platforms: win11
platform: windows
description: |
@@ -4038,7 +4038,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4054,7 +4054,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4070,7 +4070,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
+ [Win 11] CIS - Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
# platforms: win11
platform: windows
description: |
@@ -4091,7 +4091,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'WDigest Authentication' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'WDigest Authentication' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4109,7 +4109,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4125,7 +4125,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4141,7 +4141,7 @@
# contributors: defensivedepth
- name: >
- CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)'
+ [Win 11] CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)'
# platforms: win11
platform: windows
description: |
@@ -4157,7 +4157,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled''
+ [Win 11] CIS - Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled''
# platforms: win11
platform: windows
description: |
@@ -4173,7 +4173,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4189,7 +4189,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4205,7 +4205,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4221,7 +4221,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4237,7 +4237,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4258,7 +4258,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
+ [Win 11] CIS - Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
# platforms: win11
platform: windows
description: |
@@ -4274,7 +4274,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+ [Win 11] CIS - Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
# platforms: win11
platform: windows
description: |
@@ -4290,7 +4290,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+ [Win 11] CIS - Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
# platforms: win11
platform: windows
description: |
@@ -4306,7 +4306,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
+ [Win 11] CIS - Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
# platforms: win11
platform: windows
description: |
@@ -4322,7 +4322,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4339,7 +4339,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4355,7 +4355,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable Font Providers' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable Font Providers' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4371,7 +4371,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Audit client does not support encryption' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Audit client does not support encryption' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4390,7 +4390,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Audit client does not support signing' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Audit client does not support signing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4408,7 +4408,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Enable authentication rate limiter' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable authentication rate limiter' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4426,7 +4426,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Enable remote mailslots' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable remote mailslots' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4446,7 +4446,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'
+ [Win 11] CIS - Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'
# platforms: win11
platform: windows
description: |
@@ -4466,7 +4466,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Require Encryption' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require Encryption' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4483,7 +4483,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more
+ [Win 11] CIS - Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more
# platforms: win11
platform: windows
description: |
@@ -4500,7 +4500,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Audit insecure guest logon' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Audit insecure guest logon' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4518,7 +4518,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Audit server does not support encryption' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Audit server does not support encryption' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4536,7 +4536,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Audit server does not support signing' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Audit server does not support signing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4554,7 +4554,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
+ [Win 11] CIS - Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
# platforms: win11
platform: windows
description: |
@@ -4570,7 +4570,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4586,7 +4586,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4602,7 +4602,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4618,7 +4618,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4634,7 +4634,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4650,7 +4650,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4666,7 +4666,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4682,7 +4682,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4698,7 +4698,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4713,7 +4713,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
+ [Win 11] CIS - Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
# platforms: win11
platform: windows
description: |
@@ -4728,7 +4728,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
+ [Win 11] CIS - Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
# platforms: win11
platform: windows
description: |
@@ -4743,7 +4743,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -4761,7 +4761,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
+ [Win 11] CIS - Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
# platforms: win11
platform: windows
description: |
@@ -4776,7 +4776,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn off notifications network usage' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off notifications network usage' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4791,7 +4791,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
+ [Win 11] CIS - Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
# platforms: win11
platform: windows
description: |
@@ -4807,7 +4807,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
+ [Win 11] CIS - Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
# platforms: win11
platform: windows
description: |
@@ -4823,7 +4823,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
+ [Win 11] CIS - Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
# platforms: win11
platform: windows
description: |
@@ -4839,7 +4839,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
+ [Win 11] CIS - Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
# platforms: win11
platform: windows
description: |
@@ -4855,7 +4855,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher
+ [Win 11] CIS - Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher
# platforms: win11
platform: windows
description: |
@@ -4871,7 +4871,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
+ [Win 11] CIS - Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
# platforms: win11
platform: windows
description: |
@@ -4887,7 +4887,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure Windows protected print' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure Windows protected print' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4913,7 +4913,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4929,7 +4929,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Include command line in process creation events' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Include command line in process creation events' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4944,7 +4944,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
+ [Win 11] CIS - Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
# platforms: win11
platform: windows
description: |
@@ -4959,7 +4959,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4974,7 +4974,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -4989,7 +4989,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher
# platforms: win11
platform: windows
description: |
@@ -5008,7 +5008,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'
# platforms: win11
platform: windows
description: |
@@ -5023,7 +5023,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'
# platforms: win11
platform: windows
description: |
@@ -5038,7 +5038,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'
# platforms: win11
platform: windows
description: |
@@ -5053,7 +5053,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'
# platforms: win11
platform: windows
description: |
@@ -5068,7 +5068,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5083,7 +5083,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'
+ [Win 11] CIS - Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'
# platforms: win11
platform: windows
description: |
@@ -5103,7 +5103,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5120,7 +5120,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'
+ [Win 11] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'
# platforms: win11
platform: windows
description: |
@@ -5137,7 +5137,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
+ [Win 11] CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
# platforms: win11
platform: windows
description: |
@@ -5154,7 +5154,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5169,7 +5169,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Automated)
+ [Win 11] CIS - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Automated)
# platforms: win11
platform: windows
description: |
@@ -5190,7 +5190,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
+ [Win 11] CIS - Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
# platforms: win11
platform: windows
description: |
@@ -5206,7 +5206,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
+ [Win 11] CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
# platforms: win11
platform: windows
description: |
@@ -5222,7 +5222,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5238,7 +5238,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5260,7 +5260,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5276,7 +5276,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5292,7 +5292,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5309,7 +5309,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5326,7 +5326,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5342,7 +5342,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5358,7 +5358,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5374,7 +5374,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5390,7 +5390,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5406,7 +5406,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5423,7 +5423,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5438,7 +5438,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5453,7 +5453,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5469,7 +5469,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5484,7 +5484,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
+ [Win 11] CIS - Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
# platforms: win11
platform: windows
description: |
@@ -5501,7 +5501,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
+ [Win 11] CIS - Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
# platforms: win11
platform: windows
description: |
@@ -5517,7 +5517,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Automated)
+ [Win 11] CIS - Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Automated)
# platforms: win11
platform: windows
description: |
@@ -5533,7 +5533,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5548,7 +5548,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not display network selection UI' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not display network selection UI' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5563,7 +5563,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5578,7 +5578,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5593,7 +5593,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5608,7 +5608,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5623,7 +5623,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5638,7 +5638,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5655,7 +5655,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5670,7 +5670,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow upload of User Activities' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow upload of User Activities' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5685,7 +5685,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5700,7 +5700,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5715,7 +5715,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5730,7 +5730,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5745,7 +5745,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5760,7 +5760,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5775,7 +5775,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5790,7 +5790,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5805,7 +5805,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5821,7 +5821,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods'
+ [Win 11] CIS - Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods'
# platforms: win11
platform: windows
description: |
@@ -5838,7 +5838,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
+ [Win 11] CIS - Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
# platforms: win11
platform: windows
description: |
@@ -5859,7 +5859,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5875,7 +5875,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5891,7 +5891,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the advertising ID' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off the advertising ID' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5907,7 +5907,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5923,7 +5923,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable Windows NTP Server' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable Windows NTP Server' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -5939,7 +5939,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled'
+ [Win 11] CIS - Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled'
# platforms: win11
platform: windows
description: |
@@ -5958,7 +5958,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Turn off API Sampling' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off API Sampling' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5977,7 +5977,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Turn off Application Footprint' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Application Footprint' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -5996,7 +5996,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Turn off Install Tracing' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Install Tracing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6013,7 +6013,7 @@
# purpose: Informational
# tags: compliance, CIS, CIS_Level2
-- name: CIS - Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
+- name: "[Win 11] CIS - Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'"
# platforms: win11
platform: windows
description: |
@@ -6031,7 +6031,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6048,7 +6048,7 @@
# purpose: Informational
# tags: compliance, CIS, CIS_Level1
-- name: CIS - Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -6063,7 +6063,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled Force Deny'
+- name: "[Win 11] CIS - Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled Force Deny'"
# platforms: win11
platform: windows
description: |
@@ -6078,7 +6078,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -6094,7 +6094,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -6109,7 +6109,7 @@
# tags: compliance, CIS, CIS_Level2
# contributors: marcosd4h
-- name: CIS - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
+- name: "[Win 11] CIS - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'"
# platforms: win11
platform: windows
description: |
@@ -6124,7 +6124,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled Do not execute any autorun commands'
+- name: "[Win 11] CIS - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled Do not execute any autorun commands'"
# platforms: win11
platform: windows
description: |
@@ -6140,7 +6140,7 @@
# tags: compliance, CIS, CIS_Level1
# contributors: marcosd4h
-- name: CIS - Ensure 'Turn off Autoplay' is set to 'Enabled All drives'
+- name: "[Win 11] CIS - Ensure 'Turn off Autoplay' is set to 'Enabled All drives'"
# platforms: win11
platform: windows
description: |
@@ -6157,7 +6157,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6173,7 +6173,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6189,7 +6189,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6210,7 +6210,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6227,7 +6227,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher
# platforms: win11
platform: windows
description: |
@@ -6245,7 +6245,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key or higher'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key or higher'
# platforms: win11
platform: windows
description: |
@@ -6262,7 +6262,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6279,7 +6279,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6296,7 +6296,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
# platforms: win11
platform: windows
description: |
@@ -6313,7 +6313,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6330,7 +6330,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6347,7 +6347,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6364,7 +6364,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6381,7 +6381,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6398,7 +6398,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6415,7 +6415,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6432,7 +6432,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6453,7 +6453,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6470,7 +6470,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'
# platforms: win11
platform: windows
description: |
@@ -6487,7 +6487,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
# platforms: win11
platform: windows
description: |
@@ -6504,7 +6504,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6521,7 +6521,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6538,7 +6538,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
# platforms: win11
platform: windows
description: |
@@ -6555,7 +6555,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6572,7 +6572,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6589,7 +6589,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6606,7 +6606,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require additional authentication at startup' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require additional authentication at startup' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6622,7 +6622,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6638,7 +6638,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' (Automated)
+ [Win 11] CIS - Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' (Automated)
# platforms: win11
platform: windows
description: |
@@ -6654,7 +6654,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6675,7 +6675,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6692,7 +6692,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48- digit recovery password'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48- digit recovery password'
# platforms: win11
platform: windows
description: |
@@ -6709,7 +6709,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
# platforms: win11
platform: windows
description: |
@@ -6726,7 +6726,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6743,7 +6743,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6760,7 +6760,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'
# platforms: win11
platform: windows
description: |
@@ -6777,7 +6777,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6794,7 +6794,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6811,7 +6811,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6827,7 +6827,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6844,7 +6844,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'
+ [Win 11] CIS - Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'
# platforms: win11
platform: windows
description: |
@@ -6861,7 +6861,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6878,7 +6878,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
+ [Win 11] CIS - Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
# platforms: win11
platform: windows
description: |
@@ -6894,7 +6894,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6910,7 +6910,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Use of Camera' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Use of Camera' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -6926,7 +6926,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6941,7 +6941,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off cloud optimized content' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off cloud optimized content' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6956,7 +6956,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -6971,7 +6971,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
+ [Win 11] CIS - Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
# platforms: win11
platform: windows
description: |
@@ -6986,7 +6986,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7001,7 +7001,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7016,7 +7016,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7031,7 +7031,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
+ [Win 11] CIS - Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
# platforms: win11
platform: windows
description: |
@@ -7050,7 +7050,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
+ [Win 11] CIS - Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
# platforms: win11
platform: windows
description: |
@@ -7065,7 +7065,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7081,7 +7081,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Do not show feedback notifications' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not show feedback notifications' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7096,7 +7096,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7112,7 +7112,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7128,7 +7128,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7144,7 +7144,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
+ [Win 11] CIS - Ensure 'Download Mode' is NOT set to 'Enabled: Internet'
# platforms: win11
platform: windows
description: |
@@ -7166,7 +7166,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7182,7 +7182,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'
+ [Win 11] CIS - Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'
# platforms: win11
platform: windows
description: |
@@ -7223,7 +7223,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7240,7 +7240,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+ [Win 11] CIS - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
# platforms: win11
platform: windows
description: |
@@ -7257,7 +7257,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7274,7 +7274,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
+ [Win 11] CIS - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
# platforms: win11
platform: windows
description: |
@@ -7291,7 +7291,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7308,7 +7308,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+ [Win 11] CIS - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
# platforms: win11
platform: windows
description: |
@@ -7325,7 +7325,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7342,7 +7342,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+ [Win 11] CIS - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
# platforms: win11
platform: windows
description: |
@@ -7359,7 +7359,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7375,7 +7375,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7392,7 +7392,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Turn off account-based insights, recent, favorite, and recommended files in File Explorer' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off account-based insights, recent, favorite, and recommended files in File Explorer' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7407,7 +7407,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7423,7 +7423,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7439,7 +7439,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7455,7 +7455,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off location' is set to 'Enabled
+ [Win 11] CIS - Ensure 'Turn off location' is set to 'Enabled
# platforms: win11
platform: windows
description: |
@@ -7471,7 +7471,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7487,7 +7487,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Enable EDR in block mode' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable EDR in block mode' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7506,7 +7506,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7522,7 +7522,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7544,7 +7544,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7560,7 +7560,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
+ [Win 11] CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
# platforms: win11
platform: windows
description: |
@@ -7615,7 +7615,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
+ [Win 11] CIS - Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
# platforms: win11
platform: windows
description: |
@@ -7631,7 +7631,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7647,7 +7647,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7663,7 +7663,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Convert warn verdict to block' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Convert warn verdict to block' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7680,7 +7680,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7697,7 +7697,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7714,7 +7714,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn off real-time protection' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn off real-time protection' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7732,7 +7732,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn on behavior monitoring' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn on behavior monitoring' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7749,7 +7749,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn on script scanning' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn on script scanning' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7766,7 +7766,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Brute-Force Protection aggressiveness' is set to 'Enabled: Medium' or higher
+ [Win 11] CIS - Ensure 'Configure Brute-Force Protection aggressiveness' is set to 'Enabled: Medium' or higher
# platforms: win11
platform: windows
description: |
@@ -7784,7 +7784,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher
+ [Win 11] CIS - Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher
# platforms: win11
platform: windows
description: |
@@ -7804,7 +7804,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 'Enabled: Medium' or higher
+ [Win 11] CIS - Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 'Enabled: Medium' or higher
# platforms: win11
platform: windows
description: |
@@ -7821,7 +7821,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Configure Watson events' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure Watson events' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7838,7 +7838,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'
+ [Win 11] CIS - Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'
# platforms: win11
platform: windows
description: |
@@ -7855,7 +7855,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Scan removable drives' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Scan removable drives' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7872,7 +7872,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'
+ [Win 11] CIS - Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'
# platforms: win11
platform: windows
description: |
@@ -7889,7 +7889,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Turn on e-mail scanning' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn on e-mail scanning' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7906,7 +7906,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
+ [Win 11] CIS - Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
# platforms: win11
platform: windows
description: |
@@ -7922,7 +7922,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7939,7 +7939,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -7955,7 +7955,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7971,7 +7971,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -7987,7 +7987,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8003,7 +8003,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'
+ [Win 11] CIS - Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'
# platforms: win11
platform: windows
description: |
@@ -8019,7 +8019,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'
+ [Win 11] CIS - Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'
# platforms: win11
platform: windows
description: |
@@ -8040,7 +8040,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8057,7 +8057,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8075,7 +8075,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8092,7 +8092,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Allow UI Automation redirection' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow UI Automation redirection' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8107,7 +8107,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Do not allow location redirection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow location redirection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8122,7 +8122,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8137,7 +8137,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8155,7 +8155,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
+ [Win 11] CIS - Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
# platforms: win11
platform: windows
description: |
@@ -8170,7 +8170,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Cortana' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Cortana' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8185,7 +8185,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8199,7 +8199,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8214,7 +8214,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8229,7 +8229,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8244,7 +8244,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8262,7 +8262,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8277,7 +8277,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8292,7 +8292,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8307,7 +8307,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8322,7 +8322,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8337,7 +8337,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8352,7 +8352,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Require secure RPC communication' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require secure RPC communication' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8367,7 +8367,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
+ [Win 11] CIS - Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
# platforms: win11
platform: windows
description: |
@@ -8382,7 +8382,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8397,7 +8397,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
+ [Win 11] CIS - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
# platforms: win11
platform: windows
description: |
@@ -8415,7 +8415,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'
+ [Win 11] CIS - Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'
# platforms: win11
platform: windows
description: |
@@ -8431,7 +8431,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
+ [Win 11] CIS - Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
# platforms: win11
platform: windows
description: |
@@ -8446,7 +8446,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8461,7 +8461,7 @@
# contributors: artemist-work
- name: >
- CIS - Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8477,7 +8477,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8493,7 +8493,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8509,7 +8509,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8525,7 +8525,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off the Store application' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off the Store application' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8541,7 +8541,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow widgets' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow widgets' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8557,7 +8557,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Notify Malicious' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Notify Malicious' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8573,7 +8573,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Notify Password Reuse' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Notify Password Reuse' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8590,7 +8590,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Notify Unsafe App' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Notify Unsafe App' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8607,7 +8607,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Service Enabled' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Service Enabled' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8624,7 +8624,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
+ [Win 11] CIS - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
# platforms: win11
platform: windows
description: |
@@ -8643,7 +8643,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8659,7 +8659,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'
+ [Win 11] CIS - Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'
# platforms: win11
platform: windows
description: |
@@ -8674,7 +8674,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8690,7 +8690,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Allow user control over installs' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow user control over installs' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8707,7 +8707,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8723,7 +8723,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8740,7 +8740,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8764,7 +8764,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8781,7 +8781,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8797,7 +8797,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Basic authentication' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Basic authentication' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8812,7 +8812,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8827,7 +8827,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8842,7 +8842,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Basic authentication' in WinRM service is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Basic authentication' in WinRM service is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8857,7 +8857,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8874,7 +8874,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow unencrypted traffic' in WinRM service is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow unencrypted traffic' in WinRM service is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8889,7 +8889,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8905,7 +8905,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow Remote Shell Access' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow Remote Shell Access' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8920,7 +8920,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8936,7 +8936,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Allow mapping folders into Windows Sandbox' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow mapping folders into Windows Sandbox' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8953,7 +8953,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -8969,7 +8969,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent users from modifying settings' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent users from modifying settings' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -8985,7 +8985,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9000,7 +9000,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Automatic Updates' is set to 'Enabled: 3'
+ [Win 11] CIS - Ensure 'Configure Automatic Updates' is set to 'Enabled: 3'
# platforms: win11
platform: windows
description: |
@@ -9019,7 +9019,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
+ [Win 11] CIS - Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
# platforms: win11
platform: windows
description: |
@@ -9037,7 +9037,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9052,7 +9052,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Manage preview builds' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Manage preview builds' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9067,7 +9067,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
+ [Win 11] CIS - Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
# platforms: win11
platform: windows
description: |
@@ -9085,7 +9085,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
+ [Win 11] CIS - Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
# platforms: win11
platform: windows
description: |
@@ -9103,7 +9103,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Enable App Installer' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable App Installer' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9119,7 +9119,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9135,7 +9135,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9151,7 +9151,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9171,7 +9171,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9190,7 +9190,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9206,7 +9206,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9224,7 +9224,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9240,7 +9240,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'
+ [Win 11] CIS - Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'
# platforms: win11
platform: windows
description: |
@@ -9257,7 +9257,7 @@
# tags: compliance, CIS, CIS_Level2
- name: >
- CIS - Ensure 'Allow search highlights' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Allow search highlights' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9273,7 +9273,7 @@
# contributors: DefensiveDepth
- name: >
- CIS - Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
+ [Win 11] CIS - Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
# platforms: win11
platform: windows
description: |
@@ -9289,7 +9289,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9305,7 +9305,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9322,7 +9322,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9339,7 +9339,7 @@
# contributors: sharon-fdm
- name: >
- CIS - Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
+ [Win 11] CIS - Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
# platforms: win11
platform: windows
description: |
@@ -9355,7 +9355,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9371,7 +9371,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
+ [Win 11] CIS - Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
# platforms: win11
platform: windows
description: |
@@ -9387,7 +9387,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9403,7 +9403,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9419,7 +9419,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9435,7 +9435,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9452,7 +9452,7 @@
# contributors: marcosd4h
- name: >
- CIS - Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9468,7 +9468,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Turn off Windows Copilot' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Turn off Windows Copilot' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
@@ -9487,7 +9487,7 @@
# tags: compliance, CIS, CIS_Level1
- name: >
- CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled' (User Configuration)
+ [Win 11] CIS - Ensure 'Always install with elevated privileges' is set to 'Disabled' (User Configuration)
# platforms: win11
platform: windows
description: |
@@ -9504,7 +9504,7 @@
# contributors: rachelelysia
- name: >
- CIS - Ensure 'Prevent Codec Download' is set to 'Enabled'
+ [Win 11] CIS - Ensure 'Prevent Codec Download' is set to 'Enabled'
# platforms: win11
platform: windows
description: |
diff --git a/docs/solutions/cis/win-11/scripts/account-and-password-policies.ps1 b/docs/solutions/cis/win-11/scripts/win11-account-and-password-policies.ps1
similarity index 100%
rename from docs/solutions/cis/win-11/scripts/account-and-password-policies.ps1
rename to docs/solutions/cis/win-11/scripts/win11-account-and-password-policies.ps1
diff --git a/docs/solutions/cis/win-11/scripts/audit-policy.ps1 b/docs/solutions/cis/win-11/scripts/win11-audit-policy.ps1
similarity index 100%
rename from docs/solutions/cis/win-11/scripts/audit-policy.ps1
rename to docs/solutions/cis/win-11/scripts/win11-audit-policy.ps1
diff --git a/docs/solutions/cis/win-11/scripts/user-rights-assignment.ps1 b/docs/solutions/cis/win-11/scripts/win11-user-rights-assignment.ps1
similarity index 100%
rename from docs/solutions/cis/win-11/scripts/user-rights-assignment.ps1
rename to docs/solutions/cis/win-11/scripts/win11-user-rights-assignment.ps1
diff --git a/docs/solutions/cis/win-11/scripts/windows-firewall.ps1 b/docs/solutions/cis/win-11/scripts/win11-windows-firewall.ps1
similarity index 100%
rename from docs/solutions/cis/win-11/scripts/windows-firewall.ps1
rename to docs/solutions/cis/win-11/scripts/win11-windows-firewall.ps1
diff --git a/docs/solutions/cis/win-11/scripts/windows-settings.ps1 b/docs/solutions/cis/win-11/scripts/win11-windows-settings.ps1
similarity index 100%
rename from docs/solutions/cis/win-11/scripts/windows-settings.ps1
rename to docs/solutions/cis/win-11/scripts/win11-windows-settings.ps1