diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml
index 454442311e..0d66c1fd87 100644
--- a/ee/cis/win-10/cis-policy-queries.yml
+++ b/ee/cis/win-10/cis-policy-queries.yml
@@ -134,6 +134,215 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure 'Account lockout duration' is set to '15 or more minute(s)' (Automated)
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them.
+    Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
+    The recommended state for this setting is: 15 or more minute(s).
+    Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration'
+  query: |
+    SELECT 1 FROM todo_add_query;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.1
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
+    The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0.
+    Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '5 or fewer invalid login attempt(s), but not 0':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold'
+  query: |
+    SELECT 1 FROM todo_add_query;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.2
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' (Automated)
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
+    If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically.
+    The recommended state for this setting is: 15 or more minute(s).
+    Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after'
+  query: |
+    SELECT 1 FROM todo_add_query;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.3
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
+  platforms: win10
+  platform: windows
+  description: |
+    This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.
+    The recommended state for this setting is: No One.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to an empty list of users:
+    'Computer Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/UserRights/AccessCredentialManagerAsTrustedCaller</LocURI></Target></Item></Get></SyncBody>" 
+    AND mdm_command_output = "";
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.1
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
+    The recommended state for this setting is: Administrators, Remote Desktop Users.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list containing only 'Administrators' and 'Remote Desktop Users':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/UserRights/AccessFromNetwork</LocURI></Target></Item></Get></SyncBody>" 
+    AND mdm_command_output  LIKE "Administrators_REMOTE INTERACTIVE LOGON";
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.2, english-support-only
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Act as part of the operating system' is set to 'No One' (Automated)
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
+    The recommended state for this setting is: No One.
+    Note: This user right is considered a "sensitive privilege" for the purposes of auditing. 
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to an empty list of users:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Config/UserRights/ActAsPartOfTheOperatingSystem</LocURI></Target></Item></Get></SyncBody>" AND mdm_command_output = "";
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.3
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.
+    The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list of only 'Administrators', 'LOCAL SERVICE' and 'NETWORK SERVICE':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process'
+  query: |
+    SELECT 1 FROM todo_add_query;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.4, english-support-only
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Allow log on locally' is set to 'Administrators, Users'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services / Remote Desktop Services or IIS also require this user right.
+    The recommended state for this setting is: Administrators, Users.
+    Note: The Guest account is also assigned this user right by default. Although this account is disabled by default, it's recommended that you configure this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to the Backup Operators group if your organization requires that they have this capability.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list containing only 'Administrators' and 'Users':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/UserRights/AllowLocalLogOn</LocURI></Target></Item></Get></SyncBody>" 
+    AND 
+    (
+        mdm_command_output LIKE "Administrators_Users"
+        OR
+        mdm_command_output LIKE "Users_Administrators"
+    );
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.5, english-support-only
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines which users or groups have the right to log on as a Remote Desktop Services client. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the Restricted Groups feature to ensure that no user accounts are part of the Remote Desktop Users group.
+    Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature.
+    The recommended state for this setting is: Administrators, Remote Desktop Users. Note: The above list is to be treated as a whitelist, which implies that the above
+    principals need not be present for assessment of this recommendation to pass.
+    Note #2: In all versions of Windows prior to Windows 7, Remote Desktop Services was known as Terminal Services, so you should substitute the older term if comparing against an older OS.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, Remote Desktop Users':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services'
+  query: |
+    SELECT 1 FROM todo_add_query;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.6, english-support-only
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Back up files and directories' is set to 'Administrators'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.
+    The recommended state for this setting is: Administrators.
+    Note: This user right is considered a "sensitive privilege" for the purposes of auditing. 
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list containing only 'Administrators':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/UserRights/BackupFilesAndDirectories</LocURI></Target></Item></Get></SyncBody>" AND mdm_command_output = "Administrators";
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.7, english-support-only
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure 'Accounts Administrator account status' is set to 'Disabled' 
   platforms: win10
@@ -457,4 +666,3 @@ spec:
   purpose: Informational
   tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.8
   contributors: marcosd4h
----
\ No newline at end of file
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.1 b/ee/cis/win-10/test/instructions/CIS_2.2.1
new file mode 100644
index 0000000000..2547b2dcf0
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.1
@@ -0,0 +1,16 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to "":
+'Computer Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller'
+
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to have any user (add any user)
+'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'
+
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.2 b/ee/cis/win-10/test/instructions/CIS_2.2.2
new file mode 100644
index 0000000000..f899926cb6
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.2
@@ -0,0 +1,14 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and  set the following UI path to a list containing only 'Administrators' and 'Remote Desktop Users':
+'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network'
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the path above  to a different list:
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
+
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.3 b/ee/cis/win-10/test/instructions/CIS_2.2.3
new file mode 100644
index 0000000000..9d277a089f
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.3
@@ -0,0 +1,14 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to an empty list of users:
+'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system'
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the path above  to a different list:
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
+
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.4 b/ee/cis/win-10/test/instructions/CIS_2.2.4
new file mode 100644
index 0000000000..b69b2b66bb
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.4
@@ -0,0 +1,14 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to a list of only 'Administrators', 'LOCAL SERVICE' and 'NETWORK SERVICE':
+'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process'
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the path above  to a different list:
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
+
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.5 b/ee/cis/win-10/test/instructions/CIS_2.2.5
new file mode 100644
index 0000000000..01d11795af
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.5
@@ -0,0 +1,14 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to a list containing only 'Administrators' and 'Users':
+'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally'
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the path above  to a different list:
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
+
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.6 b/ee/cis/win-10/test/instructions/CIS_2.2.6
new file mode 100644
index 0000000000..388e41e98b
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.6
@@ -0,0 +1,14 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, Remote Desktop Users':
+'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services'
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the path above  to a different list:
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
+
diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.7 b/ee/cis/win-10/test/instructions/CIS_2.2.7
new file mode 100644
index 0000000000..e759cbdd57
--- /dev/null
+++ b/ee/cis/win-10/test/instructions/CIS_2.2.7
@@ -0,0 +1,14 @@
+Expected scenario
+==================
+1) Open "Edit Group Policy" tool and set the following UI path to a list containing only 'Administrators':
+'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories'
+2) After running the policy check, it should return 1 indicating that setting was properly set
+
+
+
+Failure scenario
+==================
+1) Open "Edit Group Policy" tool and set the path above  to a different list:
+2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value
+
+