fleet

mirror of https://github.com/fleetdm/fleet synced 2026-05-06 06:48:54 +00:00

History

Dante Catalfamo 0b6ee9392f Windows 11 Enterprise CIS 4.0 (#29191 ) #27396 ## Results First Column: - `+` = Added - D = Duplicate - X = Updated/Removed - ? = Unclear/un-actionable Tested Column: - Yes = Works as described - NF = Could not find GP setting, but registry key exists and editing it makes the policy pass - NA = Not available. Could not find GP setting, registry setting doesn't exist \| \| Tested \| Type \| Comment \| \|--- \|------- \|------ \|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \| \| + \| NF \| ADD \| 5 (L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.10.58 (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled' \| \| + \| Yes \| ADD \| 2.3.11 (L1) Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher \| \| + \| Yes \| ADD \| 18.6.4 (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.6.4 (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Audit client does not support encryption' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Audit client does not support signing' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Enable authentication rate limiter' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Enable remote mailslots' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1' \| \| + \| Yes \| ADD \| 18.6.7 (L1) Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more \| \| + \| Yes \| ADD \| 18.6.8 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.8 (L1) Ensure 'Audit server does not support encryption' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.6.8 (L1) Ensure 'Audit server does not support signing' is set to 'Enabled' \| \| D \| -- \| ADD \| 18.6.8 (L1) Ensure 'Enable remote mailslots' is set to 'Disabled' \| \| D \| -- \| ADD \| 18.6.8 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1' \| \| + \| Yes \| ADD \| 18.7 (L2) Ensure 'Configure Windows protected print' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.9 (L1) Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled' \| \| + \| Yes \| ADD \| 18.9.30.1 (L1) Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.9.39 (L1) Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods' \| \| + \| Yes \| ADD \| 18.10.3 (L2) Ensure 'Turn off API Sampling' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.3 (L2) Ensure 'Turn off Application Footprint' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.3 (L2) Ensure 'Turn off Install Tracing' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.4 (L1) Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.18 (L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.10.18 (L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.10.18 (L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.10.29 (L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.10.43 (L1) Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.43.4 (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.43.8 (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.43.10 (L1) Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.43.11.1.1 (L2) Ensure 'Configure Brute-Force Protection aggressiveness' is set to 'Enabled: Medium' or higher \| \| + \| Yes \| ADD \| 18.10.43.11.1.1 (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher \| \| + \| Yes \| ADD \| 18.10.43.11.1.2 (L2) Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 'Enabled: Medium' or higher \| \| + \| Yes \| ADD \| 18.10.43.13 (L1) Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1' \| \| + \| Yes \| ADD \| 18.10.43.13 (L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7' \| \| + \| Yes \| ADD \| 18.10.57.3.3 (L2) Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client' \| \| + \| NA \| ADD \| 19.7.40 (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled' \| \| + \| NF \| ADD \| 5 (L2) Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled' \| \| + \| Yes \| ADD \| 18.6.8 (L1) Ensure 'Require Encryption' is set to 'Enabled' \| \| + \| Yes \| ADD \| 18.10.91 (L2) Ensure 'Allow mapping folders into Windows Sandbox' is set to 'Disabled' \| \| X \| Yes \| MOVE \| 18.4.1 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled' TO 18.7 \| \| X \| Yes \| REMOVE \| 18.10.42 Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' \| \| X \| Yes \| REMOVE \| 18.10.15 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' \| \| X \| Yes \| REMOVE \| 18.10.66 (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' \| \| X \| Yes \| REMOVE \| 2.3.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' \| \| X \| Yes \| REMOVE \| 18.9.7.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC<sub>0C0A</sub>' \| \| X \| Yes \| REMOVE \| 18.9.7 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) \| \| X \| Yes \| REMOVE \| 18.9.7 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' \| \| X \| Yes \| REMOVE \| 5 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' \| \| X \| Yes \| REMOVE \| 5 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' \| \| X \| Yes \| REMOVE \| 5 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' \| \| X \| Yes \| REMOVE \| 5 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' \| \| X \| Yes \| REMOVE \| 18.6.4 (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher \| \| X \| Yes \| RENAME \| 2.2 (L1) Configure 'Create symbolic links' TO (L1) Ensure 'Create symbolic links' is set to 'Administrators'23528 \| \| X \| Yes \| RENAME \| 2.2 (L2) Configure 'Log on as a service' TO (L2) Ensure 'Log on as a service' is configured \| \| + \| Yes \| RENAME \| 18.10.82.1 (L1) Ensure 'Enable MPR notifications for the system' TO 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' \| \| X \| Yes \| UPDATE \| 18.10.17 (L1 -> L2) Ensure 'Enable App Installer' is set to 'Disabled' \| \| X \| Yes \| UPDATE \| 18.4 (L1) Ensure 'Enable Certificate Padding' TO Allow REG<sub>DWORD</sub> or REG<sub>SZ</sub> \| \| X \| NA \| UPDATE \| 18.9.26 Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock' \| \| ? \| Unknown \| UPDATE \| Section 17 Auditpol commands to use Policy GUIDs \| \| ? \| Unknown \| UPDATE \| 18.4 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled' \| \| ? \| Unknown \| UPDATE \| Section changes from Windows 11 Release 23H2 v2.0 Administrative Templates \| \| ? \| Unknown \| UPDATE \| Section changes from Windows 11 Release 24H2 Administrative Templates \| \| ? \| Unknown \| UPDATE \| User Overview (Section 19) \| \| ? \| Unknown \| UPDATE \| Profile Names \| \| ? \| Unknown \| UPDATE \| General Overview and Intended Audience Section \| \| ? \| Unknown \| UPDATE \| BitLocker Operating System Drive Section \| \| ? \| Unknown \| UPDATE \| 18.10.93.4 (L1) Ensure 'Enable optional updates' is set to 'Disabled' \|		2025-05-22 15:55:45 -04:00
..
macos-13	CIS Update: Q4 2024 (#24224 )	2024-12-05 13:35:40 -05:00
macos-14	CIS Update: Q4 2024 (#24224 )	2024-12-05 13:35:40 -05:00
macos-15	Remove missing items from README (#26045 )	2025-02-04 16:12:17 -05:00
win-10	Docs changes: Update Windows 10 CIS benchmark (#19723 )	2024-06-13 11:24:41 -04:00
win-11	Windows 11 Enterprise CIS 4.0 (#29191 )	2025-05-22 15:55:45 -04:00