From c7c07d9112b563378c9acd1e7990813b89900c83 Mon Sep 17 00:00:00 2001
From: Grant Bilstad <82750216+pacamaster@users.noreply.github.com>
Date: Wed, 27 Mar 2024 14:58:37 -0600
Subject: [PATCH] Revert "Update workstations.yml" (#17910)

Reverts fleetdm/fleet#17906
---
 .../lib/windows-device-health.policies.yml    | 25 +++++++++++++++++++
 it-and-security/teams/workstations.yml        |  2 +-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 it-and-security/lib/windows-device-health.policies.yml

diff --git a/it-and-security/lib/windows-device-health.policies.yml b/it-and-security/lib/windows-device-health.policies.yml
new file mode 100644
index 0000000000..5a15b90cc5
--- /dev/null
+++ b/it-and-security/lib/windows-device-health.policies.yml
@@ -0,0 +1,25 @@
+- name: Windows - Enable screen saver after 20 minutes
+  query: SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/DeviceLock/MaxInactivityTimeDeviceLock</LocURI></Target></Item></Get></SyncBody>" and CAST(mdm_command_output AS INT) <= 20;
+  critical: false
+  description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
+  resolution: "As an IT admin, to deploy a Windows profile with the MaxInactivityTimeDeviceLock option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#maxinactivitytimedevicelock"
+  platform: windows
+- name: Windows - Enable BitLocker
+  query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status = 1;
+  critical: false
+  description: As an IT admin, turn on disk encryption in Fleet.
+  resolution: Ask your system administrator to turn on disk encryption in Fleet
+  platform: windows
+- name: Windows - Disable guest account
+  query: SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</LocURI></Target></Item></Get></SyncBody>" and CAST(mdm_command_output AS INT) = 0;
+  critical: false
+  description: This policy checks if the guest account is disabled. The Guest account allows unauthenticated network users to gain access to the system.
+  resolution: "As an IT admin, deploy a Windows profile with the Accounts_EnableGuestAccountStatus option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#accounts_enableguestaccountstatus"
+  platform: windows
+- name: Windows - Require 10 character password
+  query: SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/DeviceLock/DevicePasswordEnabled</LocURI></Target></Item></Get></SyncBody>" and CAST(mdm_command_output AS INT) = 0;
+  critical: false
+  description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
+  resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock"
+  platform: windows
+  
diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml
index c287420d0f..95ca009dc3 100644
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@@ -55,8 +55,8 @@ controls:
     - path: ../lib/windows-turn-off-mdm.ps1
 policies:
   - path: ../lib/macos-device-health.policies.yml
+  - path: ../lib/windows-device-health.policies.yml
   - path: ../lib/linux-device-health.policies.yml
-  - path: ../../ee/cis/win-11/cis-policy-queries.yml
 queries:
   - path: ../lib/collect-failed-login-attempts.queries.yml
   - path: ../lib/collect-usb-devices.queries.yml