Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-05 22:39:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 116
fleet/ee
History
Dante Catalfamo 0b6ee9392f
Windows 11 Enterprise CIS 4.0 (#29191) 
#27396 

## Results

First Column:

-   `+` = Added
-   D = Duplicate
-   X = Updated/Removed
-   ? = Unclear/un-actionable

Tested Column:

-   Yes = Works as described
- NF = Could not find GP setting, but registry key exists and editing it
makes the policy pass
- NA = Not available. Could not find GP setting, registry setting
doesn't exist

| | Tested | Type | Comment |
|--- |------- |------
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
| + | NF | ADD | 5 (L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc)' is set to 'Disabled' |
| + | Yes | ADD | 18.10.58 (L1) Ensure 'Turn on Basic feed
authentication over HTTP' is set to 'Disabled' |
| + | Yes | ADD | 2.3.11 (L1) Ensure 'Network security: LDAP client
encryption requirements' is set to 'Negotiate sealing' or higher |
| + | Yes | ADD | 18.6.4 (L1) Ensure 'Configure multicast DNS (mDNS)
protocol' is set to 'Disabled' |
| + | Yes | ADD | 18.6.4 (L2) Ensure 'Turn off default IPv6 DNS Servers'
is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit client does not support
encryption' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit client does not support
signing' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Audit insecure guest logon' is set
to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Enable authentication rate
limiter' is set to 'Enabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Enable remote mailslots' is set to
'Disabled' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Mandate the minimum version of
SMB' is set to 'Enabled: 3.1.1' |
| + | Yes | ADD | 18.6.7 (L1) Ensure 'Set authentication rate limiter
delay (milliseconds)' is set to 'Enabled: 2000' or more |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit insecure guest logon' is set
to 'Enabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit server does not support
encryption' is set to 'Enabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Audit server does not support
signing' is set to 'Enabled' |
| D | -- | ADD | 18.6.8 (L1) Ensure 'Enable remote mailslots' is set to
'Disabled' |
| D | -- | ADD | 18.6.8 (L1) Ensure 'Mandate the minimum version of SMB'
is set to 'Enabled: 3.1.1' |
| + | Yes | ADD | 18.7 (L2) Ensure 'Configure Windows protected print'
is set to 'Enabled' |
| + | Yes | ADD | 18.9 (L1) Ensure 'Configure the behavior of the sudo
command' is set to 'Enabled: Disabled' |
| + | Yes | ADD | 18.9.30.1 (L1) Ensure 'Block NetBIOS-based discovery
for domain controller location' is set to 'Enabled' |
| + | Yes | ADD | 18.9.39 (L1) Ensure 'Configure SAM change password RPC
methods policy' is set to 'Enabled: Block all change password RPC
methods' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off API Sampling' is set to
'Enabled' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off Application Footprint'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.3 (L2) Ensure 'Turn off Install Tracing' is set
to 'Enabled' |
| + | Yes | ADD | 18.10.4 (L1) Ensure 'Not allow per-user unsigned
packages to install by default (requires explicitly allow per install)'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.18 (L1) Ensure 'Enable App Installer Local
Archive Malware Scan Override' is set to 'Disabled' |
| + | Yes | ADD | 18.10.18 (L1) Ensure 'Enable App Installer Microsoft
Store Source Certificate Validation Bypass' is set to 'Disabled' |
| + | Yes | ADD | 18.10.18 (L2) Ensure 'Enable Windows Package Manager
command line interfaces' is set to 'Disabled' |
| + | Yes | ADD | 18.10.29 (L1) Ensure 'Do not apply the Mark of the Web
tag to files copied from insecure sources' is set to 'Disabled' |
| + | Yes | ADD | 18.10.43 (L1) Ensure 'Control whether exclusions are
visible to local users' is set to 'Enabled' |
| + | Yes | ADD | 18.10.43.4 (L1) Ensure 'Enable EDR in block mode' is
set to 'Enabled' |
| + | Yes | ADD | 18.10.43.8 (L2) Ensure 'Convert warn verdict to block'
is set to 'Enabled' |
| + | Yes | ADD | 18.10.43.10 (L1) Ensure 'Configure real-time
protection and Security Intelligence Updates during OOBE' is set to
'Enabled' |
| + | Yes | ADD | 18.10.43.11.1.1 (L2) Ensure 'Configure Brute-Force
Protection aggressiveness' is set to 'Enabled: Medium' or higher |
| + | Yes | ADD | 18.10.43.11.1.1 (L1) Ensure 'Configure Remote
Encryption Protection Mode' is set to 'Enabled: Audit' or higher |
| + | Yes | ADD | 18.10.43.11.1.2 (L2) Ensure 'Configure how
aggressively Remote Encryption Protection blocks threats' is set to
'Enabled: Medium' or higher |
| + | Yes | ADD | 18.10.43.13 (L1) Ensure 'Scan excluded files and
directories during quick scans' is set to 'Enabled: 1' |
| + | Yes | ADD | 18.10.43.13 (L1) Ensure 'Trigger a quick scan after X
days without any scans' is set to 'Enabled: 7' |
| + | Yes | ADD | 18.10.57.3.3 (L2) Ensure 'Restrict clipboard transfer
from server to client' is set to 'Enabled: Disable clipboard transfers
from server to client' |
| + | NA | ADD | 19.7.40 (L1) Ensure 'Turn off Windows Copilot' is set
to 'Enabled' |
| + | NF | ADD | 5 (L2) Ensure 'GameInput Service (GameInputSvc)' is set
to 'Disabled' |
| + | Yes | ADD | 18.6.8 (L1) Ensure 'Require Encryption' is set to
'Enabled' |
| + | Yes | ADD | 18.10.91 (L2) Ensure 'Allow mapping folders into
Windows Sandbox' is set to 'Disabled' |
| X | Yes | MOVE | 18.4.1 (L1) Ensure 'Configure RPC packet level
privacy setting for incoming connections' is set to 'Enabled' TO 18.7 |
| X | Yes | REMOVE | 18.10.42 Ensure 'Turn off Microsoft Defender
AntiVirus' is set to 'Disabled' |
| X | Yes | REMOVE | 18.10.15 (L1) Ensure 'Toggle user control over
Insider builds' is set to 'Disabled' |
| X | Yes | REMOVE | 18.10.66 (L1) Ensure 'Only display the private
store within the Microsoft Store' is set to 'Enabled' |
| X | Yes | REMOVE | 2.3.1 (L1) Ensure 'Accounts: Block Microsoft
accounts' is set to 'Users can't add or log on with Microsoft accounts'
|
| X | Yes | REMOVE | 18.9.7.1 (BL) Ensure 'Prevent installation of
devices that match any of these device IDs: Prevent installation of
devices that match any of these device IDs' is set to
'PCI\CC<sub>0C0A</sub>' |
| X | Yes | REMOVE | 18.9.7 (BL) Ensure 'Prevent installation of devices
that match any of these device IDs: Also apply to matching devices that
are already installed.' is set to 'True' (checked) |
| X | Yes | REMOVE | 18.9.7 (BL) Ensure 'Prevent installation of devices
that match any of these device IDs' is set to 'Enabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Name Resolution Protocol
(PNRPsvc)' is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Networking Grouping (p2psvc)'
is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'Peer Networking Identity Manager
(p2pimsvc)' is set to 'Disabled' |
| X | Yes | REMOVE | 5 (L2) Ensure 'PNRP Machine Name Publication
Service (PNRPAutoReg)' is set to 'Disabled' |
| X | Yes | REMOVE | 18.6.4 (L1) Ensure ‘Configure DNS over HTTPS (DoH)
name resolution' is set to 'Enabled: Allow DoH' or higher |
| X | Yes | RENAME | 2.2 (L1) Configure 'Create symbolic links' TO (L1)
Ensure 'Create symbolic links' is set to 'Administrators'23528 |
| X | Yes | RENAME | 2.2 (L2) Configure 'Log on as a service' TO (L2)
Ensure 'Log on as a service' is configured |
| + | Yes | RENAME | 18.10.82.1 (L1) Ensure 'Enable MPR notifications
for the system' TO 'Configure the transmission of the user's password in
the content of MPR notifications sent by winlogon.' |
| X | Yes | UPDATE | 18.10.17 (L1 -> L2) Ensure 'Enable App Installer'
is set to 'Disabled' |
| X | Yes | UPDATE | 18.4 (L1) Ensure 'Enable Certificate Padding' TO
Allow REG<sub>DWORD</sub> or REG<sub>SZ</sub> |
| X | NA | UPDATE | 18.9.26 Ensure 'Configures LSASS to run as a
protected process' is set to 'Enabled: Enabled with UEFI Lock' |
| ? | Unknown | UPDATE | Section 17 Auditpol commands to use Policy
GUIDs |
| ? | Unknown | UPDATE | 18.4 (L1) Ensure 'Enable Certificate Padding'
is set to 'Enabled' |
| ? | Unknown | UPDATE | Section changes from Windows 11 Release 23H2
v2.0 Administrative Templates |
| ? | Unknown | UPDATE | Section changes from Windows 11 Release 24H2
Administrative Templates |
| ? | Unknown | UPDATE | User Overview (Section 19) |
| ? | Unknown | UPDATE | Profile Names |
| ? | Unknown | UPDATE | General Overview and Intended Audience Section
|
| ? | Unknown | UPDATE | BitLocker Operating System Drive Section |
| ? | Unknown | UPDATE | 18.10.93.4 (L1) Ensure 'Enable optional
updates' is set to 'Disabled' |
2025-05-22 15:55:45 -04:00
..
bulk-operations-dashboard Bump axios from 1.7.7 to 1.8.2 in /ee/bulk-operations-dashboard (#27072) 2025-03-14 16:00:00 -05:00
cis Windows 11 Enterprise CIS 4.0 (#29191) 2025-05-22 15:55:45 -04:00
fleetctl Orbit for Windows ARM64 (#27882) 2025-04-11 10:18:28 -04:00
fleetd-chrome Bump serialize-javascript from 6.0.1 to 6.0.2 in /ee/fleetd-chrome (#26246) 2025-03-31 13:41:01 -05:00
maintained-apps Anyone at Fleet can test Fleet-maintained apps (#28831) 2025-05-17 01:12:17 +09:00
server Allow certain licenses to disable telemetry (#29093) 2025-05-22 14:27:07 -04:00
tools Allow certain licenses to disable telemetry (#29093) 2025-05-22 14:27:07 -04:00
vulnerability-dashboard Test vulnerability dashboard deploy workflow (#22938) 2024-10-15 14:06:33 -05:00
LICENSE Introduce ee directory and license (#460) 2021-03-12 15:20:50 -08:00
README.md Add note about ee license in ee directory (#11252) 2023-04-21 14:55:38 -07:00

README.md

Welcome to the "source available" section of the Fleet codebase. Please note files and functionality under this directory are covered by the Fleet EE License, and require a valid Fleet subscription for production use. See the full license for details.