Professional Documents
Culture Documents
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
1.1 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' accepted
1.1 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' accepted
1.1 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' accepted
1.1 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' accepted
1.1 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' accepted
1.1 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' accepted
1.2 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' accepted
1.2 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' accepted
1.2 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' accepted
2.2 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' accepted
2.2 2.2.2 (L1) Configure 'Access this computer from the network' accepted
2.2 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' accepted
2.2 2.2.4 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) accepted
2.2 2.2.5 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVIC accepted
2.2 2.2.6 (L1) Ensure 'Allow log on locally' is set to 'Administrators' accepted
2.2 2.2.7 (L1) Configure 'Allow log on through Remote Desktop Services' accepted
2.2 2.2.8 (L1) Ensure 'Back up files and directories' is set to 'Administrators' accepted
2.2 2.2.9 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.10 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.12 (L1) Ensure 'Create a token object' is set to 'No One' accepted
2.2 2.2.13 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK S accepted
2.2 2.2.14 (L1) Ensure 'Create permanent shared objects' is set to 'No One' accepted
2.2 2.2.17 (L1) Configure 'Deny access to this computer from the network' accepted
2.2 2.2.18 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' accepted
2.2 2.2.19 (L1) Ensure 'Deny log on as a service' to include 'Guests' accepted
2.2 2.2.20 (L1) Ensure 'Deny log on locally' to include 'Guests' accepted
2.2 2.2.21 (L1) Configure 'Deny log on through Remote Desktop Services' accepted
2.2 2.2.22 (L1) Configure 'Enable computer and user accounts to be trusted for delegation' accepted
2.2 2.2.23 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' accepted
2.2 2.2.24 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' accepted
2.2 2.2.26 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' accepted
2.2 2.2.27 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' accepted
2.2 2.2.28 (L1) Ensure 'Lock pages in memory' is set to 'No One' accepted
2.2 2.2.30 (L1) Configure 'Manage auditing and security log' accepted
2.2 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' accepted
2.2 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' accepted
2.2 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' accepted
2.2 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' accepted
2.2 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHostaccepted
2.2 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' accepted
2.2 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' accepted
2.2 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators' accepted
2.2 2.2.39 (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only) accepted
2.2 2.2.40 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' accepted
2.3.1 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Micros accepted
2.3.1 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set taccepted
2.3.2 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override au
accepted
2.3.2 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disa accepted
2.3.4 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' accepted
2.3.4 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' accepted
2.3.5 2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DCaccepted
2.3.5 2.3.5.2 (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (D accepted
2.3.5 2.3.5.3 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' accepted
2.3.6 Domain member accepted
2.3.6 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Eaccepted
2.3.6 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Eaccepted
2.3.6 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabaccepted
2.3.6 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' accepted
2.3.6 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer da
accepted
2.3.6 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'En accepted
2.3.7 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' accepted
2.3.7 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' accepted
2.3.7 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0accepted
2.3.7 2.3.7.4 (L1) Configure 'Interactive logon: Message text for users attempting to log on' accepted
2.3.7 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on' accepted
2.3.7 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'be accepted
2.3.7 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higheaccepted
2.3.8 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' accepted
2.3.8 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to accepted
2.3.8 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' isaccepted
2.3.9 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is
accepted
2.3.9 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabledaccepted
2.3.9 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to accepted
2.3.9 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enaaccepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' accepted
2.3.10 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Di accepted
2.3.10 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' accepted
2.3.10 2.3.10.7 (L1) Configure 'Network access: Remotely accessible registry paths' accepted
2.3.10 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' accepted
2.3.10 2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - accepted
2.3.11 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' accepted
2.3.11 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online
accepted
2.3.11 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to accepted
2.3.11 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change'accepted
i
2.3.11 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' accepted
2.3.11 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 res accepted
2.3.11 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or accepted
2.3.11 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secureaccepted
R
2.3.11 2.3.11.1 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secureaccepted
2.3.13 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disableaccepted
2.3.15 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to ' accepted
2.3.15 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symb
accepted
2.3.17 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' a
i ccepted
2.3.17 2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without us
accepted
2.3.17 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Adminaccepted
2.3.17 2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set toaccepted
2.3.17 2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is s accepted
2.3.17 2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure
accepted
2.3.17 2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'En accepted
2.3.17 2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' isaccepted
2.3.17 2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations'accepted
6 Registry accepted
9.1 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' accepted
9.1 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' accepted
9.1 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' accepted
9.1 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' accepted
9.1 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\lo
accepted
9.1 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' accepted
9.1 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' accepted
9.1 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' accepted
9.2 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' accepted
9.2 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' accepted
9.2 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' accepted
9.2 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' accepted
9.2 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logf
accepted
9.2 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' accepted
9.2 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' accepted
9.2 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' accepted
9.3 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' accepted
9.3 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' accepted
9.3 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' accepted
9.3 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' accepted
9.3 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' accepted
9.3 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to ' accepted
9.3 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfi
accepted
9.3 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' accepted
9.3 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' accepted
9.3 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' accepted
17.1 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' accepted
17.2 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' accepted
17.2 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' accepted
17.2 17.2.3 (L1) Ensure 'Audit Distribution Group Management' is set to 'Success and Failure' (DC only) accepted
17.2 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' accepted
17.2 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' accepted
17.2 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' accepted
17.3 17.3.1 (L1) Ensure 'Audit Process Creation' is set to 'Success' accepted
17.4 17.4.1 (L1) Ensure 'Audit Directory Service Access' is set to 'Success and Failure' (DC only) accepted
17.4 17.4.2 (L1) Ensure 'Audit Directory Service Changes' is set to 'Success and Failure' (DC only) accepted
17.5 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' accepted
17.5 17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' accepted
17.5 17.5.4 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' accepted
17.5 17.5.5 (L1) Ensure 'Audit Special Logon' is set to 'Success' accepted
17.6 17.6.1 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' accepted
17.6 17.6.2 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' accepted
17.7 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' accepted
17.7 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' accepted
17.7 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' accepted
17.8 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' accepted
17.9 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' accepted
17.9 17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' accepted
17.9 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' accepted
17.9 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' accepted
18.1.1 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' accepted
18.1.1 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' accepted
18.3 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' accepted
18.3 18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' accepted
18.3 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enaaccepted
18.4 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Di accepted
18.4 18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects agai
accepted
18.4 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects againstaccepted
p
18.4 18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
accepted
18.4 18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name relea
accepted
18.4 18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set taccepted
18.4 18.4.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace
accepted
18.4 18.4.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the sy
accepted
18.5.11 18.5.11. (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain networ
accepted
18.5.11 18.5.11. (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enableaccepted
18.5.14 18.5.14. (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" an accepted
18.5.21 18.5.21. (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Doma
accepted
18.8.3 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' accepted
18.8.4 18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' accepted
18.8.14 18.8.14. (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad butaccepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background proc accepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects hav accepted
18.8.21 18.8.21. (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set toaccepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'accepted
18.8.27 18.8.27. (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' accepted
18.9.3 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) accepted
18.9.6 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' accepted
18.9.8 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' accepted
18.9.8 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any auto accepted
18.9.8 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' accepted
18.9.15 18.9.15. (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' accepted
18.9.15 18.9.15. (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In' accepted
18.9.24 18.9.24. (L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out' accepted
18.9.24 18.9.24. (L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out' accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size'accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or gr accepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' isaccepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greaaccepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is seaccepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'accepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is a
sccepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greateaccepted
18.9.30 18.9.30. (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' accepted
18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' accepted
18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' accepted
18.9.58. 18.9.58.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' accepted
18.9.59 18.9.59. (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' accepted
18.9.60 18.9.60. (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' accepted
18.9.76 18.9.76. (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' accepted
18.9.76. 18.9.76.3(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' accepted
18.9.76. 18.9.76. (L1) Ensure 'Scan removable drives' is set to 'Enabled' accepted
18.9.76. 18.9.76. (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' accepted
18.9.80. 18.9.80.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent b accepted
18.9.81 18.9.81. (L1) Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabl accepted
18.9.81.1 Advanced Error Reporting Settings accepted
18.9.81. 18.9.81.2(L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data' accepted
18.9.83 Windows Hello for Business (formerly Microsoft Passport for Work) accepted
18.9.85 18.9.85. (L1) Ensure 'Allow user control over installs' is set to 'Disabled' accepted
18.9.85 18.9.85. (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' accepted
18.9.86 18.9.86. (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Daccepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' accepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' accepted
18.9.97. 18.9.97.2(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' accepted
18.9.101 18.9.101 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' accepted
i
18.9.101.1 Windows Update for Business (formerly Defer Windows Updates) draft
19.1.3 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scr accepted
19.1.3 19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' accepted
19.5.1 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' accepted
19.7.1 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) accepted
19.7.4 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' accepted
19.7.4 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' accepted
19.7.26 19.7.26. (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' accepted
19.7.39 Windows Hello for Business (formerly Microsoft Passport for Work) accepted
19.7.40 19.7.40. (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' accepted
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This policy
Services setting
that determines
are started by thewhich
Service To Control
users establish
or processesthe recommended
Manager can
have generate configuration
audit
the built-in records
Service viainGP,
group set the
theadded
Securitybyfollowing
log.
default toUItheir
pathaccess
to `Adm to
This policy setting allows users to shut down Windows Vista-based and newer computers from remote locations on the net
full The recommended
Also, Any
state
a user can impersonateuser
for who
this
an setting
can
accessTo
s```is:
establish
`LOCAL
token if anythe
SERVICE,
recommended
of Navigate
the NETWORK
following to the
configuration
UI IfSERVICE`.
conditionsyouexist:
remove
via GP, the
set**Force
the following
shutdown UI path
fr to `LOC
-TheTherecommended
access token state
that isfor this setting
being Computer
impersonatedis: `Administrators`.
isConfiguration\Policies\Windows
for this user. Settings\Security Settings\Local Policies\U
full -**Note:**
The user,This
in this
userlogon
An
right
attacker
session,
is considered
couldlogged```
uTo
```
a establish
"sensitive
on to the the network
privilege"
recommended
Navigate
with
for explicit
the
to purposes
the
configuration
credentials
UI On of most
auditing.
via
tocomputers,
create
GP, configure
the this
access isthe
the
token.
following
defaul UI path:
- The requested level is less than Impersonate, Computer Configuration\Policies\Windows
such as Anonymous or Identify. Settings\Security Settings\Local Policies\U
full **Note #2:** A Member An attacker
Server with
that th holds
```
``` establish
To the _Web theServerNavigate
(IIS)_ to
recommended Role
the with
UI In_Webmost Server_
configuration cases
via GP,this Role
setconfiguration
theService
following willwill
require
UI a speci
path to `Adm
An attacker
This policy setting
with thedetermines
**Impersonatewhether a Computer
client
users after
can Configuration\Policies\Windows
authentication**
increase the base user priority
right could
classSettings\Security
create
of a process.
a service,(It is
Settings\Local
trick
not aa client
privileged
toPolicies\U
make
operati
the
full **Note
This #3:**setting
policy A Member
A user
allows Server
who isthat
users toassi holds
```
dynamically
To the _Active
``` establish loadthe a Directory
new Navigate
recommended
device Federation
to the
driver UI Services_
onNone
configuration viaRole
- this
a system. is
An
GP,thewill require
default
attacker
set the a potentially
special
behavior.
could
following exception
UI path use thist
to `Adm
- **Level
The 1 - Domainstate
recommended Controller.** TheComputer
for this setting recommended
is: `Administrators`. state for this setting is: ``Administrators,
Configuration\Policies\Windows Settings\Security LOCAL SERVICE, Policies\U
Settings\Local NETWOR
full - **Level
The 1 - Member
recommended Server.**
Device
state for thisThe
drivers recommended
setting
run ```
```is:
To state
`Administrators`.
establish the for this setting
Navigate
recommended to the is:
UI `Administrators,
If you remove
configuration via GP, LOCAL
the
set**Load SERVICE,
and unload
the following UINETWORK
d to `No S
path O
This policy setting determines which users can change the auditing options for files and directories and clear the Security lo
This policy setting allows a process toComputer keep dataConfiguration\Policies\Windows
in physical memory, which prevents Settings\Security
the system from Settings\Local
paging thePolicies\U
data to vi
full **Note:** This userUsers
right iswith
considered
the **L To ```
```
a establish
"sensitivethe privilege"
Navigate
recommendedfor theto purposes
the UI None
configurationof auditing.
- this
via isGP,theconfigure
default behavior.
the following UI path:
For environments running Microsoft Exchange Server, the `Exchange Servers` group must possess this privilege on Doma
The recommended state for this setting Computer
is: `No One`.Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
full **Note #2:** A Member Servertowith
The ability manMicrosoft
```
``` establish
To SQLthe Server _and_ its
Navigate
recommended optional
to the UI None "Integration
configuration - this
via isGP, Services"
the default
set component
behavior.
the following installed
UI path willO
to `No
- **Level 1 - Domain Controller.** The recommended state for this setting is: `Administrators` and (when Exchange is runni
This privilege determines which user Computer accounts can Configuration\Policies\Windows
modify the integrity label of objects, Settings\Security
such as files, Settings\Local
registry keys, Policies\U
or proce
- **Level 1 - Member Server.** The recommended state for this setting is: `Administrators`.
full This policy setting By modifying
allows users to theconfigure
i To
```
``` establish
the system-wide Navigate
the recommended to the
environment UI None
configuration
variables- this
via is
that
GP,the default
affect
set the
hardwarebehavior.
following configuration.
UI path to `AdmThis
The recommended state for this setting Computer
is: `No One`.Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
**Note:** This user right is considered a "sensitive privilege" for the purposes of auditing.
full The recommendedAnyone state forwhothisissetting ```
assiTo
```is: `Administrators`.
establish Navigate to the
the recommended UI None - this
configuration via isGP,theset
default behavior.
the following UI path to `Adm
This policy setting allows users to manage Computer Configuration\Policies\Windows
the system's volume or disk configuration, Settings\Security
which could Settings\Local
allow a user toPolicies\U
delete a v
full **Note:** This userArightuseriswho
considered
is assi ```Toa establish
``` "sensitivethe privilege"
Navigate
recommendedfor theto purposes
the UI None
configurationof auditing.
- this
via isGP,theset
default behavior.
the following UI path to `Adm
The recommended
This state for this
policy setting determines setting
which Computer
usersis: `Administrators`.
can use Configuration\Policies\Windows
tools to monitor the performance Settings\Security
of non-system Settings\Local Policies\U
processes. Typically, y
full This policy setting The
allows**Profile sing ```
one process ```
Toorestablish
service tothe Navigate
recommended
start to the
another service UIorIfprocess
you remove
configuration via GP,
with the
set**Profile
the following
a different single UI
security pr path to
access ``Adm
token, w
The recommended
This state for
policy setting allows thistosetting
users useComputer
is: `Administrators`.
tools to viewConfiguration\Policies\Windows
the performance of different Settings\Security
system processes, Settings\Local
which could be Policies\U
abused
full The recommendedThe state**Profile
for thissyst
setting```
```is:
To establish
`LOCALthe Navigate
SERVICE,
recommended to the
NETWORK UI None
configuration - this
SERVICE`. via isGP,theset
default behavior.
the following UI path to ``LO
The recommended state for this setting Computer
is: `Administrators,
Configuration\Policies\Windows
NT SERVICE\WdiServiceHost`. Settings\Security Settings\Local Policies\U
full **Note:**
This policyThis userUsers
setting right iswith
determines considered
the
which ```
**Rusers
```
Toa establish
"sensitive
can bypass privilege"
the Navigate
recommended
file, for the
directory,to purposes
the UI On of
configuration
registry, most
andauditing.
computers,
other
via GP,persistent
set thethisfollowing
is the permissions
object defaul
UI path to `Adm
when
An attacker with the Computer
**RestoreConfiguration\Policies\Windows
files and directories** user rightSettings\Security
could restore sensitive Settings\Local
data to aPolicies\U
compute
full **Note
The #2:** A Member
recommended stateServer
for thisthat holds
setting```
```is:
To the _Web Server
`Administrators`.
establish the (IIS)_ to
Navigate
recommended Role
the with
UI If_Web Server_
you remove
configuration via GP, Role
the
set Service
**Restore
the will and
files
following require
UI a speci
path to `Adm
**Note:**
This policy setting The abilityEven
determines towhich
shutif the
Computer
following
users
down who Configuration\Policies\Windows
Domain countermeasure
are Controllers
logged on locally andisMember
configured,
to the computersan
Settings\Security
Servers attacker
should
in yourcould Settings\Local
still restore
beenvironment
limited to a very
candataPolicies\U
todown
shut
small anumb
com
full **Note #3:**
**Note:** ThisA user
MemberrightServer with Microsoft
is considered ```
Toa establish
``` SQLthe
"sensitive Server
privilege" installed
Navigate
recommendedfor thetowill require
UI Theofaimpact
purposes
the
configuration special
auditing.of exception
via GP, removing to
these
set the following this default
recommendation
UI path to `No O
The recommended
This security setting When
state a
forDomain
determinesthis which
setting
Controller
Computer
is: `Administrators`.
users is Configuration\Policies\Windows
and shut
groupsdown, haveit isthe
no authority
longer available Settings\Security
to process
to synchronize logons,
Settings\Local
all directory serve
service GroupPolicies\U
data.Policy,
This is
full This policy setting The
allows**Synchronize
users to take ```
```ownership
To establish the of files,Navigate
folders,toregistry
recommended the UI keys,
None processes,
configuration - this
via isGP,theset
default
or the
threads. behavior.
followingThis UI user
path
right
to `Adm
bypa
The recommended state for this setting Computer
is: `No One`.Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
full The recommendedAny stateusers
for this the```
withsetting ```is: `Administrators`. Navigate to the UI None - this is the default behavior.
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
accepted **Note:** Thiscontains
This section user right is considered```a "sensitive
recommendations for securityprivilege"
options. for the purposes of auditing.
full **Note:**
The An AT Service
recommended Ifstate
you Account
enable
for this this
canTo```
beis:
setting modified
establish to signing`.
`Require
theselect
``` a different
recommended
Navigate account
to the UI None
Pathrather
- this
configuration viathan
is
articulated
GP, thethe
indefault
set LOCAL
the behavior.
SYSTEM
theRemediation
following account.
UI path
section andT
to `Req
Unsigned network Computer Configuration\Policies\Windows
traffic is susceptibleHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security
to man-in-the-middle attacks. Settings\Local
In such attacks, Policies\S
an intruder capture
full The recommended
**Note:** state forcomputers
Domain member this setting
```
```
To is:
must `Disabled`.
have _Network
establish ```
``` security:
the recommended
Navigate LDAP
to the UI Unless
signing
configuration
Path TLS/SSL
requirements_
articulated
via GP, set is the
in being
(Rule
used,
2.3.11.8)
the
theRemediation
following UI Lpath
set
toto
section `Ne
`Disa
and
Additionally,
This security setting determinesallowing Computer
whether the useConfiguration\Policies\Windows
Domain ofControllers
regular,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
unsigned LDAP
will refuse permits
requests Settings\Security
fromcredentials
member to be
Settings\Local
received
computers over
Policies\S
to change thecomp
netw
full **Note #2:** This policy
If yousetting
enabledoes
this not
```
``` have any impact ```
```on LDAP simple None
bind (`ldap_simple_bind`) or LDAP simple bind t
- this is the default behavior.
The recommended state for this setting Computer
is: `Disabled`.
Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
Settings\Security Settings\Local Policies\S
**Note #3:** Before enabling this setting, ``` you should first```ensure that there are no clients (including server-based applicatio
None - this is the default behavior. However, onl
accepted This section contains recommendations To establish
related tothe domain
recommended
Navigate
membership.
to the configuration
UI Path articulated via GP, set in the theRemediation
following UI path section to `Ena
and
This policy setting When determines a computer
whether joins
all secure
a domain, channel
a computer
traffic that
account is initiated
is- The
created.
by
ability
theAfter
domain
to create
it joins member
orthedelete
domain,
musttrustbethe
relationships
signed
computer or e
full To``` establish the recommended Navigate
``` to the configuration
UI -PathLogons articulated
via
fromGP,clientsset
in the therunning
Remediation
following versions
UI path
section
of toWindow
`Ena
and
The recommended
This policy setting When
Digital
determines
state a for
encryption
computer
this
whether
setting
and
joins
Computer
ais:signing
domain
a`Enabled`.
domain,
Configuration\Policies\Windows
of
member
the
a computer
secure
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
should channel
account
attempt is ais
to- good
The
created.
negotiate
Settings\Security
ability
ideaAfterwhere
encryption
to authenticate
it joins
it is supported.
the
for
Settings\Local
all
domain,
other
secure domains'
Thethe
channel
secure
Policies\S
computer
users
traf
ch
full ```
To``` establish the recommended ```
```
Navigate to the UI None
configuration - this
via is
Path articulated GP, theset
indefault
the behavior.
theRemediation
following UI path
section to `Ena
and
The recommended
This policy setting When
Digital
determines
state a for
encryption
computer
this
whether
setting
and
joins
Computer
ais:signing
domain
a`Enabled`.
domain,
Configuration\Policies\Windows
of
member
the
a computer
secure You can enable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
should channel
account
attempt is ais
to good
created.
negotiate
Settings\Security
idea After
where
whetheritthis
joins policy
it is setting
allsupported.
the
secure
Settings\Local
domain, after
channel
The you
thesecure
Policies\S
computer
traffic elimi
tha
ch
full ```
To``` establish the recommended ```
```
Navigate to the UI None
configuration - this
via is
Path articulated GP, theset
indefault
the behavior.
theRemediation
following UI path
section to `Disa
and
The recommended
This policy setting Digital
determines
state forencryption
this
whether
setting
and
Computer
ais:signing
domain
`Enabled`.
Configuration\Policies\Windows
of
member
the secure
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
can periodically
channel is achange goodSettings\Security
idea
its computer
where it isaccount supported.
Settings\Local
password.
The secure
Policies\S
Comput ch
full This policy setting The default the
determines config ```
To``` establish
maximum allowable ```
``` for a computer
the recommended
age None
configuration
account - this
via is
password.
GP, theset default
By behavior.
thedefault,
following domain
UI path members
to `30 o
The recommended state for this setting Computer
is: `Disabled`.
Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
Settings\Security Settings\Local Policies\S
full The recommended
When Instate
this policy setting Active
isfor Director
this setting
enabled, ```
aTo ``` is:
secure `30channel
establish or fewer days,
``` onlybut
the recommended
can Navigate not
beto 0`.UI None
established
the
configuration
Pathwith - this
articulated
via is
Domain
GP, theset
indefault
Controllers
the behavior.
theRemediation
following that areUI path
section
capable to `Ena
and of
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\S
full **Note:**
To enableAthis
value
policy
ofSession
`0`
setting,
does keys
all
notDomain
that
conform
```
``` Controllers
to the benchmark in the ```domain
as it disables
must bemaximum
None
able to - this
encrypt
password
is thesecuredefault
age.channel
behavior. data with a stron
Computer Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
Settings\Security Settings\Local Policies\S
accepted This recommended
The section contains state
recommendations
for this setting ``` is:
To related
`Enabled`.
establish tothe
interactive
```
recommended
Navigate logons.
to the configuration
UI Path articulated via GP, set in the theRemediation
following UI path section to `Ena
and
This policy setting determines whether the account name of the last user to log on to the client computers in your organizat
full An attacker with a To ``` establish the recommended ```
Navigate to the UI ThePathname
configuration viaofGP,
articulated theset last
in the user
the to successf
Remediation
following UI path
section to `Disa
and
The recommended
This state for developed
policy setting Microsoft
determines this setting
whether Computer
is: `Enabled`.
users
this feature
mustConfiguration\Policies\Windows
press
to makeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
CTRL+ALT+DEL
it easier for users before Settings\Security
with they
certain on. ofSettings\Local
log types physical impairments Policies\S to
full Windows notices inactivity of a logon ``` To``` establish
session, andthe if the ```
```
recommended
Navigate
amount of toinactive
the UI Users
configuration
Path must
timearticulated
exceeds
via GP,press theinCTRL+ALT+DEL
set the
inactivity
theRemediation
followinglimit, UIthenbefor
path
section
thetoscreen
`900
and
The recommendedAn state
attacker
for thiscould
setting
install
Computer
is: `Disabled`.
a TrojanConfiguration\Policies\Windows
horse HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
program that looks likeSettings\Securitythe standard Windows Settings\Local
logon dialog Policies\S box a
full The recommendedIfstate a user forforgets t ```
this settingTo```is: `900 orthe
establish fewer ```
```
second(s),
recommended
Navigate to thebut notThe 0`. screen
configuration
UI Path articulated
via GP,saver inwill
theautomatically
configure Remediation
the following sectionUI path andto
Displaying a warning Computer
message Configuration\Policies\Windows
beforeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
logon may help prevent UsersSettings\Security
will
an attack
have tobyacknowledge Settings\Local
warning the attacker
a dialog Policies\S
box
about con th
full **Note:**
This policy A settin
value of `0` does not conform ```
To to the benchmark
``` establish ```
``` as it disables
the recommended
Navigate to the UIthe
configuration
Path machine
articulated
via GP, inactivity
in thelimit.
configure Remediation
the following sectionUI path andto
**Note:** Any warning Computerthat you Configuration\Policies\Windows
display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
should first be approved **Note:** Settings\Security
byWindows
your organization's
VistaSettings\Local
and Windows
legal and Policies\S
XP human
Profe
full This policy setting Displaying a warni To ```
``` establish the recommended ```
```
Navigate to the UI Users
configuration will
viahave
Path articulated GP, to inacknowledge
set the followingaUI
theRemediation dialog
path
section box
to aandwith
val
This policy setting determines how farComputer in advance Configuration\Policies\Windows
usersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
are warned that their If you Settings\Security
password
select `Lock will expire. Settings\Local
It is recommended
Workstation`, Policies\S
the workstation that
full It is recommendedTo ```
``` establish the recommended ```
```
Navigate to the UI Users
configuration will
viasee
Path articulated GP,a set dialog
in the box prompt
theRemediation
following UIt path
section to `Lock
and
The recommended
This state for this
policy setting determines setting
what Computer
happens is: `between
whenConfiguration\Policies\Windows
5 and
the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
smart 14card
days`. If you Settings\Security
for a logged-on select
user `Force
is removed Settings\Local
Logoff`,from users
the smart Policies\S
are automatica
cardNT\Cu rea
full Users sometimes fo ```
``` ```
```
The recommended state for this setting Computer
is: `LockConfiguration\Policies\Windows
Workstation`.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
ConfiguringThe Ifthis
youMicrosoft
setting
Settings\Security
select to `Disconnect
`Force Logoff`
network Settings\Local
if a will
client Remote
or `Disconnect
Desktop
Policies\S
not communicat NT\Cu if Se
a
accepted sectionsetting
This policy contains recommendations
determines whether ```packet
To relatedsigning
establish tothe ```
configuring
recommended
isNavigate
required theto
byMicrosoft
the
the
configuration
UI
SMB network
Path client client.
articulated
via
component.
GP, set in the theRemediation
following UI path section to `Ena
and
Session hijacking uses tools that allow attackers who have Enforcing
The
None - thisthis
access
Windows to
is thesetting
2000 same onnetwork
Server,
default computers
Windows
behavior. as theused
2000 byProfe
client peo
or s
full **Note:**
This policyWhen Windows
setting determines Vista-based
whether To```
computers
theestablish
SMB client have this
```attempt
the recommended
will policyto
Navigate setting
tothe UIenabled
configuration
negotiate PathSMB and
articulated theyset
viapacket
GP, connect
insigning.
the to file orUI
theRemediation
following print
path
sectionshares andon
to `Ena
SMB is the
Session resource
hijacking Computer
uses sharing
tools thatprotocol
Configuration\Policies\Windows
allow HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
attackers who have byImplementation
The many Settings\Security
access
Windows Windows
to the ofsame
2000 operating
SMB Settings\Local
Server,signing
network systems.
Windowsmay
as the negatively
ItPolicies\S
2000 is the
client orbaa
Profe s
full The recommended
**Note:**
This policyEnabling state
this
setting determines for this
policy setting
setting
whether ```
on
To is:
```the
SMB `Enabled`.
establish
SMB clientstheon
redirector ```
your
``` willnetwork
recommended
Navigate sendto the makes
plaintext
configuration
UI Path them
passwordsfully
articulated
via GP, effective
during
set
in the the for packet signing
authentication
Remediation
following UI to
path
section with
third-party all c
to `Disa
and
SMB is the resource Computer
sharing protocol
Configuration\Policies\Windows When
None -SMB signing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported by Implementation
many Settings\Security
Windows
this is theofdefaultpolicies
operating
SMB are
Settings\Local
signing enabled
systems.
behavior. may isonthe
negatively
ItPolicies\SDom baa
full The
It recommendedIfthat
is recommended state
youyou for disable
enablethis this
setting
```
this is: `Enabled`.
```policy setting unless ```
``` there is a strong business case to enable it. If this policy settin
Computer Configuration\Policies\Windows WhenSettings\Security
SMBold signing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Some very policies
applications are enabled
Settings\Local
and operating onsystem
Policies\S Dom
accepted The recommended
This sectionsetting
policy contains state
allows for
youthis
recommendations setting
to specify``` is:
To the `Disabled`.
related
establish
amount tothe ```
configuring
ofrecommended
continuous
Navigate thetoMicrosoft
idle
the
configuration
time
UI Path network
that must viaserver.
articulatedpass
GP, set in
in anthe
the SMB
Remediation
following
session UI before
path
section tothe`15
and seo
The Microsoft network server will not communica
full A value of 0 appears Eachto allow
SMB sessions
sessionTo ```
ctoestablish
persist indefinitely. ``` The to
the recommended
Navigate maximum
the UI There
configurationvalue
Path will
is
via99999,
beGP,
articulated littleinwhich
setimpact
the isbecause
over 69UIdays;
theRemediation
following SM path
section in
toeffect
`Ena
and
This policy setting Session
determines hijacking
whether Computer
uses packet Configuration\Policies\Windows
toolssigning
that isHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
allow required
attackers bywho the SMB
haveTheserver Settings\Security
access
Windows
Microsoft component.
to the 2000 same
network Settings\Local
Server,
Enable
network
server Windows
this
willas policyPolicies\S
the2000
negotiate client
setting
Profe
SMBor s
full The recommended
This state for this
policy setting determines setting
whether ```
To is:
```the `15
SMBorserver
establish fewer minute(s),
```
``` negotiate
the recommended
will
Navigate tobutthe not
UI0`.
configuration
SMB Path
packet articulated
signing
via GP,with set
in the the
clients
Remediation
following
that request
UI path
section it.toIf `Ena
and
no s
The recommended
This SMB
stateisfor
policy setting Session
determines thethis
resource
setting
hijacking
which Computer
uses sharing
is:tools
registry `Enabled`.
protocol
Configuration\Policies\Windows
that
paths allow
and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
attackers
sub-paths who
will by
behave Implementation
The many
accessible Settings\Security
access
Windows Windows
to the
over ofsame
2000
the operating
SMB Settings\Local
Server,
network, signing
network systems.
Windowsmay
as the
regardless negatively
ItPolicies\S
2000ofisthe
clientthe
Profe
or baa
use s
full **Note:**
This Enable
security thisdetermines
setting policy setting ```
onTo
whether ```
SMB clientsthe
establish
to disconnect ```
on recommended
your``` network
users
Navigate whotoare to
the make
configuration
connected
UI Path them tofully
articulated
via
theGP,effective
local set for
in computer
the
the packet
Remediation
followingoutsidesigningtheirwith
UI path
section to
user allac
`Ena
and c
**Note:** In Windows SMB XPisthisthe setting
resource Computer
is sharing
called protocol
Configuration\Policies\Windows
"Network access: When
accessible SMB signing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
that is supported
Remotely by Implementation
many Settings\Security
Windows
registry policies
of operating
SMB
paths," are
Settings\Local
signing
the enabled
systems.
may
setting isonthe
negatively
ItPolicies\S
with Dom
that ba
saa
full The
If recommended
your organizationIfstateyour for
configures thislogon
organizati setting
```
```is: `Enabled`.
hours for users, this ```
```policy setting is necessaryNone - thistoisensure the default they behavior.
are effective. I
**Note #2:** When you configure thisComputer setting youConfiguration\Policies\Windows When SMB The
specifyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
a list of one or more signing
Settings\Security
objects. policies
delimiter arewhen
Settings\Local
used enabled on Dom
Policies\S
entering the
accepted The
This recommended
section contains state for this setting
recommendations ``` is:
To `Enabled`.
related
establish tothe
network ``` access. configuration via GP, set the following UI path to `Disa
recommended
To establish the recommended configuration via GP, set the following UI path to: `Sys
This recommended
The policy setting determines
state for this whether
settingan is: anonymous user can request security identifier (SID) attributes for another user,
System\CurrentControlSet\Services\Eventlog
full This policy setting If this policy which
determines set registry
To``` establishpathsthe willrecommended
beNavigate
accessible to the UI None
configuration
over the - this
Pathnetwork, via is
articulated GP, theset
indefault
regardless the behavior.
theRemediation
following
of the users UI path
section
or groups to `Disa
andlis
This policy setting determines which communication Software\Microsoft\OLAP sessions, or pipes, will have attributes and permissions that allow ano
Server
The
``` recommended
This state for this
policy setting determines setting
what Computer
is: `Disabled`.
additional Configuration\Policies\Windows
permissions are assigned for anonymous Settings\Security
connections Settings\Local
to the computer. Policies\S
Software\Microsoft\Windows NT\CurrentVersion\Print
full **Note:** This setting An does
unauthorized
System\CurrentControlSet\Control\Print\Printers ```
not existuinTo ``` establishXP.
Windows theThere ``` was atosetting
recommended
Navigate the None
configuration
UIwithPaththat - this
via is
articulated
name GP, the default
in configure
in behavior.
the Remediation
Windows the
XP,following
but it section UI path:
is called and"Ne
The recommended state for this setting is:
Software\Microsoft\Windows NT\CurrentVersion\Windows
The recommended state for this
System\CurrentControlSet\Services\Eventlog setting
Computer
To is: `Disabled`.
establish Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
the recommended configuration Settings\Security
via GP, set the Settings\Local
following UI path Policies\S
to: `Sys
System\CurrentControlSet\Control\ContentIndex
full **Note #2:** WhenLimiting
Software\Microsoft\OLAP you configurenamedthis
Server ```
setting ```
pipSystem\CurrentControlSet\Control\Server
``` you specifyNavigate```
a list of oneto the or UI
moreNull
Path
None session
objects.
Applications
articulated
- this is access
The thedelimiter over
indefault
the null
usedsessio
Remediation
behavior. when Ifsection
entering
you and
choose the
- **Level 1 - Domain Controller.** TheSystem\CurrentControlSet\Control\Terminal
recommended state for this setting is: `LSARPC, ServerNETLOGON, SAMR` and (when th
Software\Microsoft\Windows NT\CurrentVersion\Print Computer Configuration\Policies\Windows
Software\Microsoft\Windows HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
None Settings\Security
NT\CurrentVersion` - this is the defaultSettings\Local behavior. However, Policies\S if yo
- **Level 1 - Member Server.** The recommended state for this setting is: `` (i.e. None),
System\CurrentControlSet\Control\Terminal or (when the legacy _Computer Br
Server\UserConfig
full The recommendedThe
Software\Microsoft\Windows stateregistry
for this a ``` is:
issetting
NT\CurrentVersion\Windows ```
```
Navigate to the UI -Path COMNAP:articulated SNAinsession the Remediation
access section and
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
System\CurrentControlSet\Control\ContentIndex
When ```
enabled, this policy setting restricts anonymous access to only those-None HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
**Note:**
COMNODE:
shares - this If
andyou
is pipes
thewant
SNA defaultto allow
that
session remote
behavior.
are named
access inaccess,
However,
the `Netwo ifyou
yo
**Note:** A Member Server that holdsSoftware\Microsoft\Windows
the _Remote Desktop Services_ Role with _Remote Desktop Licensing_ Role Servic
NT\CurrentVersion\Perflib
full ```
System\CurrentControlSet\Control\Terminal
The registry contaiTo Computer Configuration\Policies\Windows
Server
establish ```
```
the recommended
Navigate to the configuration
UI -Path Settings\Security
SQL\\QUERY:
articulated
via GP, set SQL
in the the Settings\Local
instance
Remediation
following access
UI path Policies\S
section to `Ena
and
System\CurrentControlSet\Services\SysmonLog`
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Terminal ``` Server\UserConfig
`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
**Note:**
- SPOOLSS: If you want to
Spooler allow remote access, you
service
full System\CurrentControlSet\Control\Server
System\CurrentControlSet\Control\Terminal
Null sessions are To Applications
``` establish Server\DefaultUserConfiguration
```
the recommended
Navigate to the UI -PathLLSRPC:
configuration via License
articulated GP, set in the Logging
theRemediation
followingservice UI path
section to ``and (i.e
```
Software\Microsoft\Windows
registry
This key.setting
policy This registry
determines valueNT\CurrentVersion
NT\CurrentVersion\Perflib
toggles
which Computer
null session
network Configuration\Policies\Windows
shares shares
canHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
beon or off toby
accessed control
- NETLOGON:
anonymous whether
Settings\Security
theNet
users. server
Logon
The Settings\Local
service
service
default restricts
configurationPolicies\S
unauthe for th
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\S
full ``` policy setting It
System\CurrentControlSet\Services\SysmonLog
This is very dangero
determines ```
how network
To``` establish
logonsthe that ```
``` local accounts
recommended
use
Navigate to the UI -NoneLSARPC:
configuration
Path
are - this
via isLSA
authenticated.
articulated GP, access
theset
indefault
the
The behavior.
theRemediation
following
Classic option
UI path
section
allows
to `Clas
and pre
```
```
The recommended state for this setting Computer `Enabled`.
is: `` (i.e.Configuration\Policies\Windows - SAMR: Remote access
None).HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Settings\Security to SAM objects
Settings\Local Policies\S
When a server holds the _Active Directory Certificate Services_ Role with _Certificatio
full The recommendedWith statethe servers
forGuest
this onlthat
```
setting ```is:hold the _Active
`Classic - local ```Directory
``` Certificate
users authenticate -None Services_
BROWSER:
as -themselves`.
this is the Role
Computer with _Certification
default Browser
configuratservice Authority_
Computer Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security Settings\Local Policies\S
When a server has the _WINS Server_ Feature installed, the above list should also in
accepted ``` section
**Note:**
This Thiscontains
setting does not affect ```
recommendations interactive
related to logons
network that are performedPrevious
``` security. remotely to bythe usingreleasesuchof Windows
services as Server
Telnet or 2003 Re
System\CurrentControlSet\Services\CertSvc
`System\CurrentControlSet\Services\WINS`
```
The recommended state for servers that have the _WINS Server_ Feature installed includes the above list and:
```
System\CurrentControlSet\Services\WINS
To establish the recommended
Navigate to the configuration
UI Path articulated
via GP, set in the
theRemediation
following UI path sectionto `Ena
and
This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication ca
full This setting determines Whenifconnecting to
online identitiesTo
``` establish
are ablethe recommended
Navigate
```
to authenticate totothe
configuration
thisUIcomputer.
Services
Path articulated
via
running
GP, set inasthe
the
Local
Remediation
following
SystemUItha path
sectionto `Disa
and
The recommended
This policy setting determines
state for this whether
setting
Computer
NTLM
is: `Enabled`.
isConfiguration\Policies\Windows
allowedHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to fall back to a NULL session Settings\Security
when usedSettings\Local
with LocalSystem. Policies\S
full The Public Key Cryptography
NULL sessions Based ```
areTo
User-to-User
``` establish the (PKU2U)```
recommended
Navigate
``` protocolto the
configuration
introduced
UI Any
Pathapplications
articulated
in via
Windows
GP, set in
that
7the
the
and
require
Remediation
following
Windows NULL UIServer
spath
sectionto
2008
`Disa
andR
The recommended state for this setting Computer
is: `Disabled`.
Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security Settings\Local Policies\S
full With policy
This PKU2U, a new
setting Theextension
allowsPKU2U
you towas
protoco
set introduced
```
the```encryption
To to the
establish the Negotiate
types ```
```
recommended
Navigate authentication
that Kerberos
to the None
Pathpackage,
configuration
is
UIallowed - this is
articulated
to
viause.
GP, the
`Spnego.dll`.
indefault
set the configurat
In previous
theRemediation
following UI path versions
section and o
to `AES
Computer Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
If not selected,
Settings\Security
the encryption
Settings\Local
type will Policies\S
not be allo
full When
The
This recommended
computers
policy settingareThe
state
configured
strength
for this
determines ofsetting
toea
whether accept
```
```the
To is: authentication
`AES128_HMAC_SHA1,
establish
LAN Manager ```
```requests
the recommended
Navigate
(LM) hash toby AES256_HMAC_SHA1,
theusing
value online
configuration
UI Path
for the IDs,GP,
articulated
new
via `Negoexts.dll`
in Future
password
set the
theis encryption
callswhen
Remediation
following
stored the PKU2U
types`.
UI path
section
the to SSP
passwo
`Ena
and
LAN Manager (LM) was a family of early Computer Configuration\Policies\Windows
Microsoft HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
client/server **Note:**
software (predating Settings\Security
Windows Server NT) Settings\Local
that2008 (non-R2)
allowed Policies\S
users and be
to link
full The recommended
**Note:**
This policyOlder
Some
setting state
operating
legacy
The SAMfor
determines this
applications
systems setting
filewhether
can and
and
bTo
``` is:
```to
some `Disabled`.
OSes third-party
maythe
establish
disconnect require
```
applications
``` `RC4_HMAC_MD5`
users
recommended may
who are connected fail
None
configurationwhen
to-- we
this
this
the
viarecommend
is policy
local
GP, thesetdefault
setting
theyou
computer behavior.
istest
followingenabled.
outside inUIyour
theirAlso,
pathenvironm
user note
to `Ena
acco
- Join a domain Computer Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security Settings\Local Policies\S
not_scored -The recommended
Authenticate Ifstate
between thisActive
setting
for this issetting
Directory ```
```is:
To `Enabled`.
forests
establish ```
the recommended
Navigate to the UI None
configuration - this
via is
Path articulated GP, theset
indefault
the behavior.
theRemediation
following UI path
sectionto: and
`Sen
- Authenticate to down-level
Windows 2000 domains andComputer
WindowsConfiguration\Policies\Windows
XP clients were configuredClients Settings\Security
by defaultuse NTLMv2
to send LM Settings\Local
authentication Policies\S
and NTLM authentication
only and use
full -**Note:**
Authenticate
This policyThis recommendation
to computers
setting determines that isdolevel
the unscored
not
```
```of
To run Windows
because
establish
data the 2000,
signing there
``` is
Windows
recommended
that
Navigatenot a documented
requested
to theServer 2003,
configuration
UI
onPath
behalf registry
orclients
Windows
articulated
of
via GP, value
set that
inthat
theXP
the corresponds
issue
Remediation
following
LDAPUIBIND to it.
path
sectiontoWeandst
requests
`Neg
- Authenticate to computers
The Windows that are95, not
Windows
Computer
in the 98,
domain
Configuration\Policies\Windows
and Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
NT operating **Note:**
systems
Settings\Security
For cannot
information
useSettings\Local
the
about Kerberos
a hotfixversion
Policies\S
to ensure5
full **Note:** This policy Unsigned
setting does
network not To
```
thave
``` establish
any impact on
```
```LDAP simple
the recommended
Navigate to the bind
None(`ldap_simple_bind`)
configuration
UI Path - this
via is
articulated
GP, theset
indefault
the or behavior.
LDAP simple
theRemediation
following UI path bind
section thro
to `Req
and
The Network
This security:
policy setting LAN Manager
determines Computer
authentication
which behaviors Configuration\Policies\Windows
are levelHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LD
allowed setting determines
by clients which
for applications Settings\Security
challenge/response
using the NTLM Settings\Local
authentication
Security Policies\S
Support proto
Pro
full The recommended
This policy setting You state forenable
can
determines this setting
which bot```
```is:
behaviors
To `Negotiate
establisharethe signing`.
```
allowed
recommended
Navigate Configuring
``` by servers
to the this setting
NTLM
configuration
for
UI applications
Path articulated
via GP,to `Require
connections
usingset
inthewill
the
theNTLMsigning`
fail if NTLMv2
Remediation
following also
Security conforms
UI path
section
Support
to `Req
andPrt
The recommended state for this setting Computer `Send
is: `Require NTLMv2 response
sessiononly.
Configuration\Policies\Windows
NTLMv2 Refuse LM & 128-bit
NTLM`.encryption`.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
security, Require
Settings\Security Settings\Local **Note:**
Policies\S
These
full The recommendedYou statecan
forenable all```
this setting ```is: `Require NTLMv2 ```
``` session security, NTLM Require
connections
128-bitwillencryption`.
fail if NTLMv2
Computer Configuration\Policies\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Settings\Security Settings\Local Policies\S
accepted **Note:** These
This section values are dependent
is intentionally blank and``` on theto_Network
exists ensure the ```
security: LAN
structure of Manager
Windows Authentication
benchmarks isLevel_ consistent. security setting value
accepted sectionsetting
This policy contains recommendations
determines whether related tothe
Toaestablish
computer the Windows
canrecommended
be
Navigate shutdown
shut down
to the
when functionality.
configuration
UI Path
a user
articulated
via
is not
GP,logged
set
in the
the
on.
Remediation
following
If this policy
UI path
section
setting
to `Disa
and
is e
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section contains recommendations for configuring the Windows Firewall.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section contains recommendations for configuring the Windows audit facilities.
This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These ev
accepted This section contains recommendations for configuring
To establish the Account Logon
the recommended audit policy.
configuration via GP, set the following UI path to `Suc
- 4774: An account was mapped for logon.
This subcategory reports each event of distribution group management, such as when a distribution group is created, chan
- 4775: An account could not be mapped for logon.
full Auditing these eve ``` Navigate to the UI If no audit settings are configured,
- 4776:
This Thesetting
policy Domain Controller
allows you toattempted
audit events to validate
generated the by
credentials
changes for an account.groups such as the following:
to application
- 4744: A security-disabled local group Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
was created.
- 4777: The Domain Controller failed to validate the credentials for an account.
accepted -This section
4745: contains recommendations
A security-disabled local group ```was
To for configuring
establish
changed. the Account Management
the recommended configuration audit policy.
via GP, set the following UI path to `Suc
- Application
This groupreports
subcategory is created,
each changed, or deleted.
event of security group management, such as when a security group is created, changed, o
-This subcategory
4746: A memberreports
was addedeachto event of computer account
a security-disabled management, such as when a computer account is created, cha
local group.
-The recommended
Member state
is added or for thisfrom
removed setting
an is: `Successgroup.
application and Failure`.
full - 4747: A member Auditing was removed events in To
from ``` Navigate
establish the recommended
a security-disabled to the
local group. UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
- 4727:
This A security-enabled
subcategory reports eachglobal group
event was account
of user created. management, such as when a user account is created, changed, or d
- 4748:4741: A security-disabled
computer accountlocal was group Computer
created. Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
was deleted.
-Application groups was
4728: A member are utilized
added to byaWindows Authorization
security-enabled globalManager,
group. which is a flexible framework created by Microsoft for in
full 4742: A security-disabled
- 4749: computerAuditing
accountevents
was changed.
global ```
in To
group``` establish
was created. Navigate to the
the recommended UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
4729: A user
- 4720: member was was
account removed from a security-enabled global group.
created.
4743: A security-disabled
- 4750: computer accountglobal was deleted.Computer
group Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
was changed.
The
-This recommended
subcategory
4730:
4722: state
reports
security-enabled
A user account for
wasotherthisaccount
global setting
enabled. group is: `Success
deleted.and
management
was Failure`.
events. Events for this subcategory include:
full - 4751: A member Auditing
was added theseto aeve ```
security-disabled
``` establish theglobal
To Navigate
group.to the
recommended UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
4731: An
- 4723: A security-enabled
attempt was made localto group
change wasan created.
account's password.
-The 4752:
recommended
A member was stateremoved
for this setting
fromComputer
a is:
security-disabled
`Success
Configuration\Policies\Windows
and Failure`.
global group. Settings\Security Settings\Advanced Audit
4782: An
4732:
- 4724: The
A password
member
attempt washash
was added
made antoaccount anwas accessed.
a security-enabled
reset account's local group.
password.
full - 4753: A security-disabled globaleve
Auditing these group
```
To was deleted.
``` establish Navigate to the
the recommended UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
4793: A
4733:
- 4725: The Password
member
user wasPolicy
account removed
was Checking
from a API
disabled. was called. local group.
security-enabled
- 4759: A security-disabled universal Computer group wasConfiguration\Policies\Windows
created. Settings\Security Settings\Advanced Audit
4734: A user
- 4726: security-enabled
account waslocal group was deleted.
deleted.
full - 4760: A security-disabled universal
Auditing these eveTo```
group was changed.
``` establish Navigate to the
the recommended UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
-The4735:
recommended
4738: security-enabled
A user state
account forlocal
was this group
settingwas
changed. is: `Success
changed.and Failure`.
- 4761: A member was added to a security-disabled universal group.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 4740:
4737: A user
security-enabled
account wasgloballockedgroupout. was changed.
full - 4762: A member Auditing
was removed thesefromeve``` a security-disabled
``` universal
Navigate to group.
the UI If no audit settings are configured,
- 4765:
4754:
This A security-enabled
SID History
subcategory was added
reports universal
the to an group
creation account. was created.
of a process and the name of the program or user that created it. Events for this subc
- 4763: A security-disabled universal Computer group wasConfiguration\Policies\Windows
deleted. Settings\Security Settings\Advanced Audit
- 4766:
4755: An
A security-enabled
attempt to add SID universal
Historygroup
to anwas
account
changed.failed.
accepted This section contains recommendations ``` establish
To for configuring the Detailed Tracking
the recommended auditvia
configuration policy.
GP, set the following UI path to `Suc
4756: A new
4767:
- 4688: member
user was has
account
process added
was to acreated.
unlocked.
been security-enabled universal group.
The recommended state for this setting is: `Success and Failure`.
4757: A
4780:
- 4696: member
The ACL was
primary wasset
token removed
on accounts
was from awhich
assigned tosecurity-enabled
are membersuniversal
process. group. groups.
of administrators
full Auditing these eve ``` Navigate to the UI If no audit settings are configured, or if audit sett
4758: The
- 4781: A security-enabled
name of an accountuniversalwasgroup
changed: was deleted.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
4764:toAn
- 4794:
Refer AMicrosoft
group's
attempttype
waswasmade
Knowledge changed.
to set article
Base the Directory
947226: Services Restore
[Description Mode. events in Windows Vista and in Windows Serve
of security
accepted section contains
This subcategory recommendations
reports when an ADTo ```DSforobject
configuring
establish isthe the Directory
accessed.
recommended Services
Only objects withAccess
configurationSACLs audit
via GP,
cause policy.
set the
auditfollowing
events to
UIbe
path
generated
to `Suc
- 5376:
This Credentialreports
subcategory Manager credentials
changes were in
to objects backed
Activeup. Directory Domain Services (AD DS). The types of changes that are r
- 5377:
The Credential Manager
recommended state for credentials
this setting were `Success
restoredand
is: `Success`. fromFailure`.
a backup.
full - 4662 : An operation Auditing
was performed
these eveTo on
``` establish
an object.the recommended
Navigate to the UI If no audit
configuration viasettings
GP, setare
theconfigured,
following UI path to `Suc
- 5136 : A directory service object was modified.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-The recommended
5137 : A directory state
serviceforobject
this setting is: `Success and Failure`.
was created.
full The recommendedAuditing
state forthese
this setting
eve``````is: `Success andNavigate Failure`.to the UI If no audit settings are configured,
- 5138 : A directory service object was undeleted.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 5139 : A directory service object was moved.
accepted section contains
This subcategory recommendations
reports when a user's ``` account
To for configuring
establish isthe
locked theout
Logon/Logoff
recommended
as a result audit
toopolicy.
configuration
of many
via failed
GP, set
logon
the attempts.
following UI
Events
path for
to `Suc
this
The
This recommended subcategory reports state for whenthislogon/logoff-related
other asetting
user logsis: `Success andsystem.
off from events,
the Failure`.
suchThese eventsDesktop
as Remote occur on the accessed
Services sessioncomputer. Forand
disconnects interac
rec
full - 4625: An accountAuditing failed totheselog on. eveTo ``` establish the recommended
Navigate to the UI If no audit
configuration viasettings
GP, setaretheconfigured,
following UI path to `Suc
This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. Fo
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 4649: 4634: AAnreplay
account waswas
attack logged off.
detected.
full The recommendedAuditing state forthesethis setting
eveTo```
```is: `Success
establish theand Failure`.to the
Navigate
recommended UI If no audit
configuration viasettings
GP, setaretheconfigured,
following UI path to `Suc
- 4778: 4647: A
4624: User
An initiated
account
session was
was logoff.
successfullytologged
reconnected a Window on. Station.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 4779: 4625: AAnsession
accountwas failed to log on. from a Window Station.
disconnected
full Auditing these eveTo ```
``` establish the recommended
Navigate to the UI If no audit
configuration viasettings
GP, setaretheconfigured,
following UI path to `Suc
-The recommended
4648:
4800: A logon
The wasstate
workstation for this
attempted
was setting
using
locked. is: `Success`.
explicit credentials.
This policy setting allows you to auditComputer Configuration\Policies\Windows
events generated by the management of task Settings\Security
scheduler jobsSettings\Advanced
or COM+ objects. Audit
- 4801: 4675: The
SIDsworkstation
were filtered. was unlocked.
full This subcategory reports Auditing these
when eveTo
a special```
``` establish
logon is used. Navigate
A special to
the recommended the
logon UI If logon
no audit
configuration
is a viasettings
that GP,
has set are
theconfigured,
administrator-equivalent
following UI path to
privileg
`Suc
- 4802: The screen saver was invoked.
For scheduler jobs, the following are audited: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-The recommended
4803: The screen saver state for was this setting is: `Success and Failure`.
dismissed.
full - Job 4964created.
: Special groups Auditinghave these
beeneve ```
assigned
``` to a new logon.
Navigate to the UI If no audit settings are configured,
- 5378: The requested credentials delegation was disallowed by policy.
- Job deleted. Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
- 5632: A request was made to authenticate to a wireless network.
accepted -The
This Jobrecommended
section
enabled. contains state for this setting
recommendations ``` is:
To for`Success`.
configuring
establish the Object Access
the recommended audit policy.
configuration via GP, set the following UI path to `Suc
- 5633: A request was made to authenticate to a wired network.
- Job disabled.
full - Jobsubcategory
This updated.
policy The
settingreports
allows unexpected
you
changesto auditincre
```
To
user
auditestablish
attempts
policy Navigatefileto
thetorecommended
access
including SACL the
system UIobjects
IfEvents
no audit
configuration
changes. forsettings
on
viaathis
GP, setare
removabletheconfigured,
storage
following
subcategory device.
UI pathAto
include: securit
`Suc
The recommended state for this setting is: `Success and Failure`.
This subcategory reports changes in Computer authentication Configuration\Policies\Windows
policy. Events for this subcategorySettings\Security
include: Settings\Advanced Audit
full For
-The COM+
4715: Theobjects,
recommended the following
Auditing
state
audit policy forremovable
(SACL) this on areanaudited:
setting```
```is: `Success
object andNavigate
was changed. Failure`.to the UI If no audit settings are configured,
-This Catalog
4719:
4706: A object
System
new trust
subcategory added.
auditwaspolicy
reports wasato
created
when Computer
changed.
a domain.
user account or Configuration\Policies\Windows
service uses a sensitive privilege. Settings\Security Settings\Advanced
A sensitive privilege includes the Audit
follow
accepted This Catalog
-**Note:**
4902:
4707: The
A object
A
section toupdated.
Windows
contains
Per-user
trust 8, Server
was2012
recommendations
audit
a domain policy table
removed.(non-R2)
```was
To or higher
for created.
configuring
establish OSPolicy
the is required
the recommended Changeto access and
via set
audit policy.
configuration GP,this
set value in GroupUIPolicy.
the following path to `Suc
- 4713: Catalog
4904: An object
attempt
Act asKerberos
part deleted.
of the was made
policy to register a security event source.
was changed.
operating system
full -This 4905:
4716: Anfiles
attempt
Trusted
subcategory
Back up Auditing
was
domain
and reports made these
information
changes
directories to unregister
eve
inwas``` establish
To a security
modified.
authorization the event
Navigate
source.
recommended
policy. Events to
forthe UIsubcategory
If no audit
configuration
this viasettings
GP, setare
include: theconfigured,
following UI path to `Suc
-The recommended
4906:
4717:
Create The
System
a token stateaccess
CrashOnAuditFail
security
object for this setting
value
was has is:
Computer
granted `Success
changed. and Failure`.
Configuration\Policies\Windows
to an account. Settings\Security Settings\Advanced Audit
full 4907: A
4718:
4704:
- Debug Auditing
System
user right
programs settings
security
Auditing onthese
was access object
assigned. was were
eve ```
``` changed.
removed
To fromthe
establish anrecommended
account.
Navigate to the UI If no audit
configuration viasettings
GP, setaretheconfigured,
following UI path to `Suc
4908:
- 4739:
Enable Special
4705: Domain
Acomputer Groups
user rightPolicy
waswas
and Logon
removed.
user table modified.
changed.
accounts Computer
to be trustedConfiguration\Policies\Windows
for delegation Settings\Security Settings\Advanced Audit
full 4912: A
4864:
4706:
- Generate PernewUser
namespace Audit
trust
security Policy
collision
Auditing
was
auditscreated was
these was changed.
adetected.
toeve ```
domain.
``` Navigate to the UI If no audit settings are configured,
4865: A trust
4707:
- Impersonate trusted forest
atoclient
a domaininformation
after was entry
removed.
authentication was added.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
accepted -The
This recommended
4866:
4714:
Load A trusted
Encrypted
section
and contains
unload state
forest
data for this setting
information
recovery
recommendations
device drivers entry
policy is:
```was
To for`Success
was changed.theand
removed.
configuring
establish Failure`.
the Privilege Use
recommended audit policy.
configuration via GP, set the following UI path to `Suc
- 4867:
Manage A trusted
auditingforest information
and security log entry was modified.
full -The recommended
Modify state forthese
firmware environment
Auditing thisvalues
setting
eve ```is: `Success`. Navigate to the UI If no audit settings are configured,
-The recommended
Replace state for
a process-level this setting
token is: `Success`.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
accepted -This
Restore files
section and directories
contains recommendations ``` for configuring the System audit policy.
- Take ownership of files or other objects
Auditing this subcategory will create a high volume of events. Events for this subcategory include:
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `GroupPolicy.admx/adml`
the structure of Windows benchmarks isthat is included with the Micro
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `hotspotauth.admx/adml`
the structure that
of Windows benchmarks is is included with the Micro
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `LanmanServer.admx/adml`
the structure that is included with the M
of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `LanmanWorkstation.admx/adml` that is included with t
This section contains recommendations for Link-Layer Topology Discovery settings.
accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theMicrosoft
Group Policy
Peer-to-Peer
template Networking
`LinkLayerTopologyDiscovery.admx/adml`
Services settings. that is includ
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `P2P-pnrp.admx/adml`
of Windows benchmarks
that
is consistent.
is included with all versions
accepted
This section
Group Policy
contains
section
recommendations
is providedTo byestablish
for
theNetwork
Groupthe Policy
Connections
templatesettings.
recommended `P2P-pnrp.admx/adml`
configuration via GP, set thatthe
is included
followingwith all versions
UI path to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This can
You Group
usePolicy
this procedure
section
The Network
is to
provided
controls
Bridge
```
bysetting,
To user's
the Group
ability
if enabled,
establish Policy
thetorecommended
install
allows
template
and users
configure
`NetworkConnections.admx/adml`
to create
a Network
configuration a via
Layer
Bridge.
GP, 2 set
Mediathe Access thatControl
following isUIincluded
path(MAC)with
br
to `Ena
full Computer Configuration\Policies\Administrative
```
Navigate to the UI Users cannotTemplates\Network\Network
Path articulatedcreate
in theorRemediation
configure a Nsection Connect
and
The recommended
This policy setting In state
an enterprise
for this
determines setting
managed
whether```tois:require
`Enabled`.
environment,
domain HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
where
users tothere is awhen
elevate needsetting
to control network location.
a network's traffic to only authorize
full Allowing blank
This section is intentionally regularand
u Computer Configuration\Policies\Administrative
exists to ensure ```
```structure of Windows
the Domain users
Templates\Network\Network
benchmarks mustiselevate when setti Connect
consistent.
The recommended state for this setting **Note:**
``` is: `Enabled`.
This Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided by the Group Policy template `NetworkCo
accepted This Group Policy section is provided by the Group Policy ``` template `WindowsFirewall.admx/adml` that is included with all v
This section is intentionally blank and**Note:**
exists to This
ensureGroup Policy path
the structure of may not exist
Windows by default.
benchmarks is It is provided by the Group
consistent.
accepted **Note:** This section was initially named _Windows Firewall_ but was renamed by Microsoft to _Windows Defender Firew
Group Policy
This section section isblank
is intentionally provided
and by
existsthe to
Group
ensurePolicy template `NCSI.admx/adml`
the structure of Windows benchmarks that is is
included with all versions of t
consistent.
In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Polic
accepted To establish the recommended configuration via GP, set the following UI path to `Ena
Group Policy
This section section
contains is provided by for
recommendations theNetwork
Group Policy template
Provider `NetworkIsolation.admx/adml` that is included with the
settings.
Once the new GPO template is in place, Navigate
the following
to the UIare
Path
thearticulated
minimum requirements
in the Remediation to remediate
sectionthe
andG
accepted This policy setting configures secure `\\*\NETLOGON
access to UNC paths. RequireMutualAuthentication=1, RequireIntegrity=1`
This Group Policy section is provided`\\*\SYSVOL
by the GroupRequireMutualAuthentication=1,
Policy template `NetworkProvider.admx/adml`
RequireIntegrity=1` that is included with the
`\\*\NETLOGON RequireMutualAuthentication=1, ``` RequireIntegrity=1`
full The recommended state for this setting is: `Enabled, with "Require Mutual Windows Authentication"
only allows
and "Require
access toIntegrity"
the spe set for al
`\\*\SYSVOL RequireMutualAuthentication=1, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
RequireIntegrity=1`
This section is intentionally blank and ``` exists to ensure the structure of Windows benchmarks is consistent.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted **Note:** If the environment exclusively Computer
containsConfiguration\Policies\Administrative
Windows 8.0 / Server 2012 or higherTemplates\Network\Network
systems, then the "`Privacy`" Provider
setting
**Note:** A reboot may be required after ``` the setting is applied to a client machine to access the above p
Group Policy
This section section isblank
is intentionally and```
provided by
existsthe to
Group
ensurePolicy template `OfflineFiles.admx/adml`
the structure of Windows benchmarks that is included with all version
is consistent.
accepted **Note:** This Group Policy path does not exist by default. An additional Group Policy
Additional guidance on the deployment of this security setting is available from the Microsoft Premier Fie
Group Policy
This section section isblank
is intentionally provided
and by
existsthe to
Group
ensurePolicy template `QOS.admx/adml`
the structure of Windows benchmarksthat is is
included with all versions of th
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Snmp.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of t
consistent.
accepted
Group Policy
This section section
contains is provided
TCP/IP by thesettings.
configuration Group Policy template `CipherSuiteOrder.admx/adml` that is included with all
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `tcpip.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft W
is consistent.
accepted
Group Policy
This section section
contains is provided
TCP/IP by configuration
parameter the Group Policy template `tcpip.admx/adml` that is included with the Microsoft W
settings.
accepted
Group Policy
This section section
contains is provided by for
recommendations theWindows
Group Policy template
Connect Now `tcpip.admx/adml`
settings. that is included with the Microsoft W
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
theWindows
for GroupthePolicy template
Connection
recommended `WindowsConnectNow.admx/adml`
Manager settings.
configuration via GP, set the following thatUI
is path
included with
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
preventsiscomputers
provided```by the connecting
from Group Policy to template `WCM.admx/adml`
both a domain based networkthat andisaincluded with the
non-domain basedMicrosoft
networkW
full Blocking simultaneComputer Configuration\Policies\Administrative
``` None - thisTemplates\Network\Windows
is the default behavior. Connec
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
to ensure the structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`Windows.admx/adml`
Windows benchmarks that It
is is is provided
included
consistent. byall
with theversions
Group
accepted
Group Policy
This section section
contains is provided by for
recommendations theSystem
Group Policy template `Windows.admx/adml` that is included with the Microso
settings.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `srm-fci.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft W
consistent.
accepted
Group Policy
This section section
contains is provided
settings relatedTobyauditing
to the Group
establish Policy
ofthe
process template
creation`appv.admx/adml`
recommended events. that set
configuration via GP, is included with the
the following Microsoft
UI path W
to `Disa
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
determines by the Group
what information
``` Policyintemplate
is logged security`AuditSettings.admx/adml`
audit events when a new process that is included
has beenwith the Mic
created.
full When this policy s Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Audit
is the default behavior. Process Cre
The recommended
This section containsstate for this
settings setting
related ```
to is:
To `Disabled`.
Credential
establish the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
Delegation.
recommended configuration via GP, set the following UI path to `Ena
accepted Remote host allows delegation of non-exportable credentials. ```
Navigate When
to the
using
UI Path
credential
articulated
delegation,
in the devices
Remediation
provide
section
an export
and
This Group Policy section
_Restricted Admin**Note:**
is provided by the Group
```
Mode_ Thisdesigned
was Group Policy
Policy template path
to help may administrator
not exist by default.
`CredSsp.admx/adml`
protect that isIt included
accounts isbyprovided bythat
with
ensuring the
all Group
versions
reusabl
full The recommended_Windows
state for this
Defender
setting
Computer
Remote
is: `Enabled`.
Configuration\Policies\Administrative
Credential
``` Guard_ helps you Theprotect
host will
Templates\System\Credentials
your
support
credentials
the _Restric
over a RemoteDelegDesk
Both features
This section is intentionally blankshould
and``` be enabled
exists to ensure andthe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
supported,
structure as they reduce
of Windows the chanceisof
benchmarks credential theft.
consistent.
accepted **Note:** More detailed information on Windows Defender ``` Remote Credential Guard and how it compares to Restricted Ad
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensure Group
Policy Policy path
template
the structure of may not exist by default.
`DeviceGuard.admx/adml`
Windows benchmarks It
isthat is is
provided
includedbywith
consistent. the the
Group
Mic
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TPM.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft W
is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceInstallation.admx/adml`
the structure that is included with all
of Windows benchmarks is consistent.
accepted
This Group Policy section is provided by the Group Policy template `DeviceRedirection.admx/adml` that is included with the
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DiskNVCache.admx/adml`
of Windows benchmarks is consistent.
that is included with all vers
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DiskQuota.admx/adml`
of Windows benchmarksthat
is consistent.
is included with all version
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Display.admx/adml`
of Windows benchmarks
that is
is consistent.
included with the Microsoft
accepted
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an E
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DCOM.admx/adml`
of Windows benchmarksthat is
is included
consistent.
with all versions of
accepted
- `Good`: The driver has been signed and has not been tampered with.
Group Policy
This section section
contains is providedTo
recommendations byestablish
theconfiguring
for GroupthePolicy template
boot-start
recommended `DeviceInstallation.admx/adml`
driver initialization
configuration viasettings. that is included
GP, set the following UI path with all
to `Ena
- `Bad`: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initiali
accepted Navigate to the UI Path articulated in the Remediation section and
- `Bad, but required for boot`: The driver has been identified as malware, but the computer cannot successfully boot withou
This Group Policy section is provided``` by the Group Policy template `EarlyLaunchAM.admx/adml` that is included with the M
- `Unknown`: This driver has not been attested to by your malware detection application and has not been classified by the
full This policy settin Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Early
is the default behavior. Launch Antim
This section is intentionally blank and```
exists to ensure theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Ea
structure of Windows benchmarks is consistent.
If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is
accepted ```
Group Policy
This section section isblank
is intentionally provided
and**Note:**
by the to
exists Group
This Group
Policy
ensure template
Policy path
the structure `EnhancedStorage.admx/adml`
of may
Windowsnot exist by default.
benchmarks is It is provided
that is included
consistent. by the with
Groupthe
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launc
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `srm-fci.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft W
consistent.
The recommended state for this setting is: `Enabled: Good, unknown and bad but critical`.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FileServerVSSAgent.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy templates `FileServerVSSProvider.admx/adml` that is included w
accepted This Group Policy section is provided by the Group Policy template `FileSys.admx/adml` that is included with all versions o
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with
Group Policy
This section section
contains is providedTo
recommendations byestablish
theconfiguring
for GroupthePolicy template
group `FolderRedirection.admx/adml`
policy-related
recommended settings.
configuration that is included
via GP, set the following UI path with all
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This "Do
The Group
notPolicy
apply section is provided
during periodic byestablish
background
```
To the Group Policy
processing"
the template `GroupPolicy.admx/adml`
option prevents
recommended the system
configuration fromset
via GP, that
updating is included
affected
the following UIwith
pathall
toversio
policies in th
`Ena
full Setting this optio Computer Configuration\Policies\Administrative
```
Navigate to the UI Group Policies
Templates\System\Group
Path articulated will be reapplied
in the Remediation eve section
Policy\Conf
and
recommended
The "Process even state
if the for this Policy
Group setting
To is: `Enabled:
```objects
establishhave FALSE`
thenot HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
(unchecked).
changed"
recommended option updates and
configuration reapplies
via GP, set the policies even
following UIifpath
the policies
to `Disa
full ```
Setting this optio Computer Configuration\Policies\Administrative
```
Navigate to the UI Group Policies
Templates\System\Group
Path articulated will be reapplied
in the Remediation eve section
Policy\Conf
and
The recommended
This state for Group
policy setting prevents **Note:**
this setting
Policy
``` is:from This
beingGroup
`Enabled: TRUE` Policy path
themay not exist byuse.
default.
This Itpolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
updated (checked).
while computer is in is provided
settingby the Group
applies to Gr
full ```
This setting ensur Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Group
is the default behavior. Policy\Turn
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Disabled`.
exists Group
ensure Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the structure Windows benchmarks is provided by the Group
consistent.
accepted ```
Group Policy
This section section
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Internet path is provided by the Group Policy template
`GroupPolicyPreferences.admx/adml`
Communication Management. that is`GroupPoli
included w
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Internet template `Windows.admx/adml`
Communication
recommended settings.
configuration via GP, setthattheis included
followingwith all versions
UI path to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
controlsiswhether
provided bycomputer
the
```
To the Group
establish Policy
can
the template
download
recommended `Windows.admx/adml`
print driverPrint
packages
drivers
configuration over
via GP, that
cannot
HTTP.
set is included
be
the downloaded
To set up
following with
HTTP
UI all versions
over
path printing,
HTTP.
to `Ena
full Users might downlo Computer Configuration\Policies\Administrative
```
Navigate Templates\System\Internet
to the UI Path articulated in the Remediation section Communiand
The recommended
This state forwhether
policy setting controls this setting
``` is:
Windows
To `Enabled`.
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
will download **Note:**
a list of providers
the recommended for the
configuration This
viaWeb
GP,policy setting
publishing
set the does
and
following notpath
online
UI prevent
ordering the
to `Enaw
full ```
Although the risk Computer Configuration\Policies\Administrative
```
Navigate to the UI Windows isTemplates\System\Internet
Path articulatedprevented from downloadin
in the Remediation Communi
section and
The recommended
This state for
policy setting allows youthis **Note:**
setting
to disable
``` is: Thiscomputer's
the`Enabled`.
client Group Policy path
to is provided by computer
thewhich
Groupallows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
ability printThe
over
client
HTTP, Policy
will template
notthe
be able to`ICM.admx
computer print
to print
to Int
full ```
Information that i Computer Configuration\Policies\Administrative
``` Templates\System\Internet Communi
The recommended
This state forblank
section is intentionally **Note:**
this setting
and```
exists to This
is: `Enabled`.
ensureGroup Policy path of is provided byThis
the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure **Note:**
Windows benchmarks policy Policy template
is setting affects the
consistent. `ICM.admx
client side
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of is providedbenchmarks
`iSCSI.admx/adml`
Windows by thethat
Group Policy template
isisincluded `ICM.admx
with all versions
consistent. of t
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `KDC.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft W
is consistent.
Group Policy
This section section
contains is provided by for
recommendations theLocale
GroupServices
Policy template `Kerberos.admx/adml` that is included with all versions
settings.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
the logon template
process`Globalization.admx/adml`
recommended and lock screen.
configuration via GP, set the thatfollowing
is included with all
UI path versi
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
allows you to controlbywhether
```
To the Group
establish Policy
anyone
the cantemplate
interact`Logon.admx/adml`
recommended with availablevia
configuration thatset
networks
GP, isUIthe
included
onfollowingwithUI
the logon all versions
screen.
path of
to `Ena
full An unauthorized usComputer Configuration\Policies\Administrative
```
Navigate to the UI The
PathPC's network
Templates\System\Logon\Do
articulated inconnectivity
the Remediation state section
notand
disp
The
This recommended state for connected
policy setting prevents this setting
``` is:
Tousers `Enabled`.
from the
establish being HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
enumerated configuration
recommended on domain-joined
via GP, computers.
set the following UI path to `Ena
full ```
A malicious user c Computer Configuration\Policies\Administrative
```
Navigate to the UI The
PathLogon Templates\System\Logon\Do
UI willinnot
articulated theenumerate
Remediation an section
notand
enu
The
This recommended state for
policy setting allows youthis **Note:**
setting
```
To is:
to prevent app Thisthe
`Enabled`.Group
notifications
establish Policy pathconfiguration
mayonnot
theexist by default. It isfollowing
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
from
recommended appearing lock
via screen.
GP, set the providedUIbypaththe to
Group
`Ena
full This policy setting App
allowsnotifications
you to control Computer
To whether
establisha the
domain ```
Configuration\Policies\Administrative
```user can
Navigate
recommended to the
sign inNo
UI Pathapp
using anotifications
Templates\System\Logon\Turn
articulated
configuration picture
via GP, password.
in the
set areRemediation
the displayedUIonpath
following tooff
section ap
and
`Disa
The recommended state for this setting **Note:**
``` This Group
is: `Enabled`. Policy path may not exist by default. It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
full The recommended
This policy setting Picture
state for
allows passwords
you this setting
Computer
to control
``` is: `Enabled`.
whether Configuration\Policies\Administrative
a domain ``` user can
Navigate to the inUsers
signUI Path will not
Templates\System\Logon\Turn
usingarticulated bein
a convenience able to
thePIN. setInup
Remediation or si section
Windows 10,off pic
conve
and
**Note:** This
```
Computer Group Policy path may not exist by default. It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative Templates\System\Logon\Turn on con
full If theuser's
**Note:** The picture
A PINpassword
domain
is created feature
password is be
f ```will permitted,
cached thein``` user's
```
the domain
system vaultpassword
when
Noneusingis cached
- this this
is the in the system
feature.
default behavior.vault when using
This section is intentionally blank and**Note:**
exists to This
ensureGroup Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure Windows benchmarks is provided by the Group
consistent.
The recommended state for this setting **Note:**
is: `Disabled`.
This Group ``` Policy path may not exist by default. It is provided by the Group
This Group Policy section is provided by the Group Policy template `GroupPolicy.admx/adml` that is included with the Micro
**Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Netlogon.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with all versions
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `OSPolicy.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with the Microso
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PerfCenterCPL.admx/adml`
of Windows benchmarks is consistent.
that is only included with t
accepted
This section
Group Policy
contains
section
recommendations
is provided by for
thePower
GroupManagement
Policy template
settings.
`Passport.admx/adml` that is included with the Microso
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with the Microsoft W
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Power template `Power.admx/adml`
Management
recommended Sleep mode.
configuration via GP,thatsetis the
included withUI
following the Microsoft
path to `EnaW
accepted Navigate to the UI Path articulated in the Remediation section and
This Group
Specifies Policy section
whether is provided
or not the byestablish
user is prompted
```
To the Group Policy
for athe
passwordtemplate
when `Power.admx/adml`
recommended the system resumes
configuration via GP,that
from
setissleep.
included
the withUI
following allpath
versions of
to `Ena
full Enabling this sett Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\System\Power
is theindefault
Path articulated behavior. section
the Remediation Managemeand
The recommended
Specifies whether orstate for this
not the usersetting ``` is: `Enabled`.
is prompted HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
for a password when the system resumes from sleep.
full ```
Enabling this sett Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Power
is the default behavior. Manageme
The recommended
This state forblank
section is intentionally this setting
and```**Note:** to This
is: `Enabled`.
exists ensureGroup Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
the structure Windows benchmarks is provided by the Group
consistent.
accepted ```
Group Policy
This section section
contains is providedTo
recommendations **Note:**
byestablish This
the Group
related totheGroup
Policy
Remote Policy
templatepath may not existvia
byGP,
`ReAgent.admx/adml`
Assistance.
recommended configuration default.
that
set theisIt included
isfollowing
provided UIbypath
with theMicroso
the Group
to `Disa
accepted This policy setting allows you to turn on or turn off Offer Navigate(Unsolicited)
to the
Remote
UI Path
Assistance
articulatedon inthis
the computer.
Remediation section and
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `RemoteAssistance.admx/adml`
recommended configuration via GP, set the following that is included
UI path towith al
`Disa
full Help desk and support
A userpersonnel
might bewill tr Computer
not be able Configuration\Policies\Administrative
to proactively
```
Navigate offer assistance,
to the UI None -although
thisTemplates\System\Remote
is the
Path articulated they
indefault
the can still
behavior.
respondsection
Remediation toAssistanc
userand
ass
This policy setting allows you to turn on HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
``` or turn off Solicited (Ask for) Remote Assistance on this computer.
full The recommendedThere state is
forslight
this setting is: `Disabled`.
ri Computer ```
Configuration\Policies\Administrative
``` Users on this
Templates\System\Remote
computer cannot use e- Assistanc
The recommended
This section containsstate for this setting
recommendations **Note:**
``` is: This
`Disabled`.
related Group
to Remote Policy path Call.
may not exist by default. It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Procedure
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of may not exist
`RPC.admx/adml`
Windows bythat
default.
benchmarks is It
is includedis provided
with allby
consistent. the Group
versions of th
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `RemovableStorage.admx/adml`
the structure that is included with a
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Scripts.admx/adml`
the structure that is
of Windows benchmarks is included with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `ServerManager.admx/adml`
the structure that is included with all ve
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinInit.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Winsrv.admx/adml`
the structure that is
of Windows benchmarks is included with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `StorageHealth.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template and
to Troubleshooting `SystemRestore.admx/adml`
Diagnostics. that is included with all ve
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `pca.admx/adml`
the structure that is included
of Windows benchmarks with all versions of the
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FileRecovery.admx/adml`
the structure of Windows benchmarks isthat is included with all versi
consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DiskDiagnostic.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
This Group
sectionPolicy section
contains is provided by related
recommendations the Group Policy
to the template
Microsoft `fthsvc.admx/adml`
Support that is included with the Microsoft W
Diagnostic Tool.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MSDT.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Msi-FileRecovery.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `sdiagschd.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
This Group Policy section is provided by the Group Policy template `sdiageng.admx/adml` that is included with the Microso
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PerformanceDiagnostics.admx/adml`
of Windows benchmarks is consistent.that is included w
accepted
This section
Group Policy
contains
section
recommendations
is provided by related
the Group
to Windows
Policy template
Performance
`LeakDiagnostic.admx/adml`
PerfTrack. that is included with all ve
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `PerformancePerftrack.admx/adml`
of Windows benchmarks is consistent.
that is included with
accepted
This section
Group Policy
contains
section
recommendations
is provided by related
the Group
to User
Policy
Profiles.
template `TPM.admx/adml` that is included with all versions of th
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserProfiles.admx/adml`
the structure of Windows benchmarks isthat is included with all versio
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsFileProtection.admx/adml`
the structure that is included wi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Windows Time`HotStart.admx/adml`
Service. that is only included with the Micr
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to Time template `W32Time.admx/adml` that is included with all versions
Providers.
accepted
Group Policy
This section section
contains is provided by for
recommendations theWindows
Group Policy templatesettings.
Component `W32Time.admx/adml` that is included with all versions
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `adfs.admx/adml`
the structure that is only
of Windows benchmarks included with the Microso
is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `ActiveXInstallService.admx/adml` that is included with
accepted This Group Policy section is provided by the Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
**Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AppxPackageManager.admx/adml`
the structure of Windows benchmarks is consistent. that is included wit
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
theApp
for Group Policy
runtime
the template `AppPrivacy.admx/adml`
settings.
recommended configuration via GP, setthat theisfollowing
includedUIwith paththe
toMicro
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
lets youiscontrol
provided by theMicrosoft
whether
``` Group Policy
accountstemplate `AppXRuntime.admx/adml`
are optional for Windows Store apps that thatis included
requirewith the Mic
an accoun
full Enabling this sett Computer Configuration\Policies\Administrative
``` Windows Store Templates\Windows
apps that typically Components\Ap
requ
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section
contains is providedTo
recommendations **Note:**
byestablish
for Thisthe
theAutoPlay
Group Group
Policy Policy path
template
policies.
recommended may not existvia
`AppCompat.admx/adml`
configuration byGP,
default.
setthat It isis
the provided
included
following UIby
withtheallto
path Group
versio
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
disallows is AutoPlay
providedTo by
``` the Group
forestablish
MTP Policy
devices
the liketemplate
cameras`AutoPlay.admx/adml`
recommended or phones. via GP, set
configuration thattheis included
followingwith all versions
UI path to `Ena
full An attacker could Computer Configuration\Policies\Administrative
```
Navigate to the UI AutoPlay will
Templates\Windows
Path articulated notin
bethe allowed for Components\Au
Remediation MTPsection and
The recommended
This state
policy setting sets fordefault
the this setting
``` is:
behavior
To `Enabled`.
for Autorun
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
commands. Autorun
the recommended commands
configuration via GP, are
setgenerally
the following storedUIinpath
`autorun.inf
to `Ena
full Priorfrom
Autoplay starts to read to Windows VComputer
a drive as soon as you insert```
Configuration\Policies\Administrative
```media in
Navigate tothe UI AutoRun
thedrive,
Path
which commands
Templates\Windows
articulated
causes in
thethe will
setup befile
completel
Remediation Components\Au
for programs
section and or au
The recommended state for this setting **Note:**
``` This Group
is: `Enabled: Policy pathany
may not exist by default. It is provided by the Group
DoHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
not execute autorun commands`.
full **Note:** You cannotAn use
attacker
this policy
could setting
Computer to enable ```
Configuration\Policies\Administrative
Autoplay
``` on computer Autoplay
drives inwill
Templates\Windows
which
be disabled
it is disabled- users byComponents\Au
wil
default, such a
This section is intentionally blank and``` **Note:**
exists to This
ensureGroup Policy path
of may not exist by default.is It
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the structure Windows benchmarks is provided by the Group
consistent.
accepted The recommended state for this setting is: `Enabled: All``` drives`.
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of is providedbenchmarks
by the Group
`UserDataBackup.admx/adml`
Windows Policythattemplate
is consistent. `AutoPlay.a
is only included with
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Biometrics.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `VolumeEncryption.admx/adml`
the structure that is included with all
of Windows benchmarks is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Camera.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CloudContent.admx/adml`
the structure that is included with the Mic
of Windows benchmarks is consistent.
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
the template
Credential
recommended `WirelessDisplay.admx/adml`
User Interface. via GP, set the that
configuration is included
following UI path with the M
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This Group Policy section
policy setting is provided
allows you byestablish
to configure
```
To the
theGroup Policy
display
the of thetemplate
password
recommended `CredUI.admx/adml`
reveal buttonvia
configuration in GP,that
setisthe
password included
entry withUI
user
following allpath
versions
experiences. of
to `Disa
full This is a useful f Computer Configuration\Policies\Administrative
```
Navigate to the UI The
PathpasswordTemplates\Windows
articulated reveal
in thebutton will Components\Cre
Remediation not section and
The
This recommended state forwhether
policy setting controls this setting
``` is: `Enabled`.
administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accounts are displayed when a user attempts to elevate a running applica
full ```
Users could see thComputer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\Cre
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Disabled`.
exists Group
ensure Policy path
of may not exist by default. is It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the structure Windows benchmarks consistent.
```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of is providedbenchmarks
by the Group
`Windows.admx/adml`
Windows that Policy
is is template
included
consistent. `CredUI.ad
with the Microso
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeliveryOptimization.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `Sidebar.admx/adml` that is included with the Microsoft
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section Group Policy
is intentionally
section isblank provided
and by exists
the to
Group
ensure Policy
the structure
template `DWM.admx/adml`
of Windows benchmarks that isisincluded
consistent. with all versions of t
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `DeviceCompat.admx/adml` that is included with the M
accepted This setting Group Policy section
determines is provided by EMET
if recommended the Group Policy template
mitigations are applied`WorkplaceJoin.admx/adml`
to the following popular software: that is included with the M
This section contains is intentionally blank and exists
recommendations to ensure the
for configuring structure
Microsoft of Windows
Enhanced benchmarks
Mitigation Experienceis consistent.
Toolkit (EMET).
accepted **Note:**
- 7-Zip This section was initially named _Workplace Join_ but was renamed by Microsoft to _Device Registration_ startin
This
-The section
Group
Enhanced
Adobe is intentionally
Policy
Photoshop Mitigation isblank
sectionExperience and Toolkit
provided exists
by the to ensure
Group
(EMET) isthe
Policyfree structure
template `DigitalLocker.admx/adml`
of Windows
`EMET.admx/adml`
and supported benchmarks
security isincluded
that
consistent.
that isdeveloped
software is included
with with allthat
Microsoft
by Microsoft versi
EME a
accepted - Foxit Reader
This
EMET
-More Group
is freePolicy
information
Google Chromeand onsection
supported
EMET, is including
provided by
security software the Group
download andPolicy
developed User by template
Microsoft
Guide, `EdgeUI.admx/adml`
can that
be allows an
obtained here: that is to
enterprise included with the
apply exploit Microsoft
mitigations
accepted This
- Google setting
Talkconfigures the default action after detection and advanced ROP mitigation.
Navigate to the UI Path articulated in the Remediation section and
**Note:**
iTunes Although
-[Enhanced MitigationEMET is quite Toolkit
Experience effective at enhancing
- EMET - TechNet exploit protection on Windows server OSes prior to Server 2016, it
Security](https://technet.microsoft.com/en-us/security/jj653751
To establish the recommended configuration via GP, set the following UI path to `Ena
full -The recommended
Microsoft EMET
These
Live Writer mitigations
state for
advanced hInstall
this setting is: EMET
mitigations for 5.52
ROPNavigate
mitigations to apply
`Control Panel\Program\Programs
to all configured software in EMET: and Featu
```
**Note
-**Note:** #2:**
Microsoft Although
EMET
Lync EMET
has been
Communicator is quite
reported
effective
to beatveryenhancing
problematicexploit onprotection
32-bit OSes on -Windows
we only recommend
server OSesusing prior to it with
Server64-bit
2016,
OSe it
``` establish the recommended
To HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
configuration via GP, set the following UI path to `Ena
full - Default
Microsoft Action
Photoand - **Deep
Mitigation
Gallery Hooks**
Settings
protects
- `Enabled`
critical APIs and theto
Navigate subsequent
the UI The Pathlower
advancedlevel mitigations
articulated APIs
in the used by
available
the topin
Remediation level critica
section and
Computer Configuration\Policies\Administrative
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Templates\Windows Components\EM
**Note
-ThisDeep #3:**
#2:**
Hooks
setting
Microsoft Microsoft
- `Enabled`
- **Anti
determines
SkyDrive has Detours**
announced
if recommended renders
that EMET
EMET ineffective
will beexploits
mitigations End-Of-Life that evade
are applied (EOL) hooks
on Julyby
to Internet 31,executing
Explorer.2018. This a copy
doesofnot themean
hooked thefuncti
softw
```
``` establish the recommended
To HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
configuration via GP, set the following UI path to `Ena
full Antisetting
-This
mIRC Detours - `Enabled`
- **Banned
Applying EMETFunctions**
mitig will block calls to
``` `ntdll!LdrHotPatchRoutine`
Navigate to
determines if recommended EMET mitigations are applied to the following software: the UI EMET
Path to mitigate
mitigations
articulated inwill
thebe potential
applied exploits
Remediation to Isection abusin
and
**Note:** This
Computer Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
**Note
-The
Banned #3:**
recommended
Mozilla EMET state
Functions
Firefox has been
- `Enabled`
for thisreported
settingtois:be`Enabled`.
very problematic on 32-bit OSes - we only recommend using it with 64-bit OSe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
``` ```
``` establish the recommended
To configuration via GP, set the following UI path to `Ena
full - Exploit
Adobe Action
Mozilla Acrobat -` User
Thunderbird Configured`
Applying EMET miti ```
```
Navigate to the UI EMET mitigationsinwill
Path articulated thebe applied to th
Remediation section and
**Note:** This
Computer Configuration\Policies\Administrative
Group Policy path does not exist by Templates\Windows
default. An additional Components\EM
Group Policy
Opera Acrobat Reader
- Adobe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
```
``` establish the recommended configuration via GP, set the following UI path to `Ena
To
full - Pidgin
Microsoft Office suiteApplying
applications
EMET miti ```
```
Navigate to the UI EMET mitigationsinwill
Path articulated thebe applied to section and
Remediation
**Note:** This
Computer Configuration\Policies\Administrative
Group Policy path does not exist by Templates\Windows
default. An additional Components\EM
Group Policy
- Oracle
QuickTime
This Java
setting Player
determines how applications become enrolled HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
in Address Space Layout Randomization (ASLR).
```
``` establish the recommended configuration via GP, set the following UI path to `Ena
To
full - WordPad
RealPlayer ASLR reduces the p ```
```
Navigate to the UI ASLR protectionsinwill
Path articulated thebe enabled onsection and
Remediation
**Note:** This
Computer Configuration\Policies\Administrative
Group Policy path does not exist by Templates\Windows
default. An additional Components\EM
Group Policy
- Safari
The
This recommended
setting determines statehowfor this setting is:become
applications `Enabled: Application
enrolledHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
in DataOpt-In`.
Execution Protection (DEP).
```
``` establish the recommended configuration via GP, set the following UI path to `Ena
To
full - Skype
The recommendedDEP statemarks
for this setting
pages of is: `Enabled`. Navigate ```
``` to the UI DEP Path protections
articulated in willthebeRemediation
enabled on *a section and
**Note:** This
Computer Configuration\Policies\Administrative
Group Policy path does not exist by Templates\Windows
default. An additional Components\EM
Group Policy
- VideoLAN
The
This recommendedVLC statehow
setting determines for this setting is:become
applications `Enabled: Application
enrolledHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Opt-Out`.
in Structured Exception Handler Overwrite Protection (SEHOP).
```
```
full - Winamp When a software co ```
``` SEHOP protections will be enabled on
**Note:** This
Computer Configuration\Policies\Administrative
Group Policy path does not exist by Templates\Windows
default. An additional Components\EM
Group Policy
- Windows
The
This sectionLive
recommended Mailstate forblank
is intentionally this setting
and existsis: `Enabled:
to ensureApplication
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
the structure Opt-Out`.
of Windows benchmarks is consistent.
```
accepted - Windows Media Player ```
**Note:** This Group Policy path does not exist by default. An additional Group Policy
- WinRAR
This Group Policy
section section
contains is provided by for
recommendations theconfiguring
Group Policy thetemplate
Event Log `EventForwarding.admx/adml`
Service. that is included with the
accepted - WinZip To establish the recommended configuration via GP, set the following UI path to `Disa
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy thetemplate
Application`EventLog.admx/adml`
Event Log. that is included with all versions
accepted The recommended
This state forEvent
policy setting controls this setting
LogTo``` is: `Enabled`.
behavior
establish when the the Navigate
log file reaches
recommended to the UIitsPath
maximum
configuration articulated
size.set
via GP, in thetheRemediation
following UI path section and
to `Ena
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new foreventsthis are
setting
``` is: `Disabled`. Navigate ``` to the UI WhenNone -event
this islogs
Path articulated theinfill
default
the behavior.
to Remediation
capacity, theysection
will stopand
rec
This policy setting specifies the maximum Computer size of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not To
not **Note:**
be establish
``` retained Thisaccording
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
configuration automatically
byviatheGP,Group when
setof Policy
this
the full_template
policy
configuration
following UI setting.
`EventLog.
pathis that old
to `Disa
The recommended
This section contains state for this setting is:
recommendations for`Enabled:
configuring 32,768
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
Security Event Log.
accepted This policy setting controls Event LogTo **Note
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to the isUIprovided
itsPathAdministrative
Ideally, by
maximum
configuration all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored
Remediation
following thisevents
template setting
UI was
`EventLog.
should
section
path to and
`Enainib
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new foreventsthis are **Note
setting
``` #2:** In older
is: `Disabled`. ```Microsoft
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
articulated Templates,
theinfill
default
the behavior.
to Remediation
capacity, this setting
they section was
will stopandini
rec
This policy setting specifies the maximum Computer size of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not To
not **Note:**
be establish
``` retained Thisaccording
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
configuration automatically
byviatheGP,Group when
setof Policy
this
the full_template
policy
configuration
following UI setting.
`EventLog.
pathis that old
to `Disa
The recommended
This section contains state for this setting is:
recommendations for`Enabled:
configuring 196,608
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
Setup Event Log.
accepted This policy setting controls Event LogTo **Note
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to the isUIprovided
itsPathAdministrative
Ideally, by
maximum
configuration all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored
Remediation
following thisevents
template setting
UI was
`EventLog.
should
section
path to and
`Enainib
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new foreventsthis are **Note
setting
``` #2:** In older
is: `Disabled`. ```Microsoft
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
articulated Templates,
theinfill
default
the behavior.
to Remediation
capacity, this setting
they section was
will stopandini
rec
This policy setting specifies the maximum Computer size of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not To
not **Note:**
be establish
``` retained Thisaccording
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
configuration automatically
byviatheGP,Group when
setof Policy
this
the full_template
policy
configuration
following UI setting.
`EventLog.
pathis that old
to `Disa
The recommended
This section contains state for this setting is:
recommendations for`Enabled:
configuring 32,768
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
System Event Log.
accepted This policy setting controls Event LogTo **Note
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to the isUIprovided
itsPathAdministrative
Ideally, by
maximum
configuration all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored
Remediation
following thisevents
template setting
UI was
`EventLog.
should
section
path to and
`Enainib
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new foreventsthis are **Note
setting
``` #2:** In older
is: `Disabled`. ```Microsoft
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
articulated Templates,
theinfill
default
the behavior.
to Remediation
capacity, this setting
they section was
will stopandini
rec
This policy setting specifies the maximum Computer size of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not ```
not **Note:**
be retained Thisaccording
Group ```
```Policy
to thepath_Backup
is provided
log consequence
The automatically
by the Group when
of Policy
this full_template
policy setting.
configuration `EventLog.
is that old
The recommended
This state forblank
section is intentionally this setting
and existsis: `Enabled:
to ensure32,768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
structure of Windows benchmarks is consistent.
accepted **Note #2:**
**Note:** ThisInGroup
older``` Microsoft
Policy path Windows
is provided Administrative
Ideally, by
all the Templates,
specifically
Group Policy
monitored thisevents
template setting was inib
`EventLog.
should
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group
ensure Policy template `EventLogging.admx/adml`
the structure of Windows benchmarks is that is included with the Mic
consistent.
accepted This section is intentionally blank and**Note exists #2:**
to ensureIn older
the Microsoft
structure of Windows
Windows Administrative
benchmarksTemplates,is consistent. this setting was ini
This Group Policy section is provided by the Group Policy template `EventViewer.admx/adml` that is included with all versio
accepted Group Policy
This section section
contains is provided by to
recommendations thecontrol
Groupthe Policy template
availability of `ParentalControls.admx/adml`
options such as menu items and that is only
tabs included
in dialog with
boxes.
To establish the recommended configuration via GP, set the following UI path to `Disa
accepted **Note:**
This Group
Disabling This
Data section
Policy
ExecutionwasPrevention
section isinitially
providednamedby the
can _Parental
Group
allow certainControls_
Policy
legacy buttowas
template
Navigate plug-in renamed bytoMicrosoft
`WindowsExplorer.admx/adml`
theapplications
UI Path articulatedfunction to _Family
in the
without that isSafety_
Remediation included
terminating starting
section allw
withand
Explorer.
``` establish the recommended configuration via GP, set the following UI path to `Disa
To
full **Note:**
The This section
recommended Data was
state forinitially
Execution named
this setting is:_Windows
PreComputer `Disabled`. Explorer_ but
towas
Configuration\Policies\Administrative
```
Navigate the UI renamed
None - by
thisMicrosoft to _File
Templates\Windows
is theindefault
Path articulated the Explorer_
behavior.
Remediation starting
Components\File
section andwi
Without heap termination on corruption, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
``` legacy plug-in applications may continue to function when a File Explorer session h
full **Note:** Some legacy plug-in
Allowing an applications
applic Computer and Configuration\Policies\Administrative
other software
```
``` may not function None with
- thisData
is theExecution
Templates\Windows Prevention
default behavior. and will req
Components\File
The recommended state for this setting **Note:**
``` This Group
is: `Disabled`. Policy path may not exist by default. It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
```
**Note:** This Group Policy path is provided by the Group Policy template `Explorer.a
To establish the recommended configuration via GP, set the following UI path to `Disa
Navigate to the UI Path articulated in the Remediation section and
This policy setting allows you to configure
``` the amount of functionality that the shell protocol can have. When using the full f
full Limiting the openinComputer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\File
The recommended
This section is intentionally
state forblank
this setting
and```
exists
is: `Disabled`.
to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
structure of Windows benchmarks is consistent.
accepted ```
This section
Group Policy
is intentionally
section isblank and**Note:**
provided by
exists
the to This
Group Group
ensure
Policy Policy path
the structure
template of is providedbenchmarks
by the Group
`PreviousVersions.admx/adml`
Windows Policy
thattemplate
is consistent. `WindowsE
is included with all
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `FileHistory.admx/adml`
of Windows benchmarksthat
is consistent.
is included with the Micros
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `FindMy.admx/adml`
of Windows benchmarks
that is
is consistent.
included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `GameExplorer.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Handwriting.admx/adml`
the structure that
of Windows benchmarks is is included with the Micro
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sharing.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CaptureWizard.admx/adml`
the structure that is only included with t
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `InetRes.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section
contains is provided
settings by theand
for Locations Group Policy template `IIS.admx/adml` that is included with all versions of the
Sensors.
accepted
Group Policy
This section section
contains is provided
settings by theLocation
for Windows Group Policy template `Sensors.admx/adml` that is included with the Microsof
Provider.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `LocationProviderAdm.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `msched.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinMaps.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MDM.admx/adml`
the structure that is is
of Windows benchmarks included with the Microsoft W
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Messaging.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MSAPolicy.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MicrosoftEdge.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FidoAuth.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceCredential.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserExperienceVirtualization.admx/adml`
the structure of Windows benchmarks is consistent. that is includ
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Conf.admx/adml`
the structure that is included
of Windows benchmarks with all versions of th
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `NAPXPQec.admx/adml`
the structure of Windows benchmarks is that is only included with the M
consistent.
accepted This section contains recommendations related tothe
To establish OneDrive.
recommended configuration via GP, set the following UI path to `Ena
This Group Policy section is provided by the Group Policy template `NetworkProjection.admx/adml` that is only included wi
accepted The Group Policy settings contained within ``` this section are provided
Navigate by UI
to the thePath
Group Policy template
articulated `SkyDrive.admx/adml`
in the Remediation section andth
This policy setting lets you prevent apps Computer
To and features
establishConfiguration\Policies\Administrative
from working with
the recommended files
Users
on OneDrive
configuration can't
viaTemplates\Windows
access
GP, using
set OneDrive
thethe Nextfrom
following Generation
Components\On
UIthe OneDrive
path toSync
`Ena
full **Note:**
This policyThis section
setting lets was
you initially
Enabling prevent named
this sett ``` and
apps _SkyDrive_ but
features from```was
Navigate renamed
working to with
the UIby Microsoft
files
Path to _OneDrive_
on articulated
OneDrive using
in thethe startingOneDrive/SkyD
Remediation
legacy with the Micros
section and
The recommended state for this setting ``` is: `Enabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
**Note:**
Users If your
can't organization
access OneDrive uses from Office 365, be
the OneDrive
full The recommendedEnabling
state for this
this sett **Note:**
setting
Computer This
is: `Enabled`.Group```
```Policy path may not exist by
Configuration\Policies\Administrative default. It is provided
Templates\Windows by the Group
Components\On
This section is intentionally blank and``` exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows **Note:** If your organization
benchmarks is consistent. uses Office 365, be
accepted **Note:** Despite the name of this setting,**Noteit #2:** In older
is applicable Microsoft
```to Windows
the legacy OneDrive Administrative
client on any Templates,
Windows OS. this setting was na
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`HelpAndSupport.admx/adml`
Windows benchmarks is It isthat
provided
consistent. by thewith
is included Group
all v
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `PswdSync.admx/adml`
the structure of Windows benchmarksthat is only included with the M
is consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `ExternalBoot.admx/adml`
the structure of Windows benchmarks isthat is included with the Micr
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MobilePCPresentationSettings.admx/adml`
the structure of Windows benchmarks is consistent. that is inclu
accepted This section contains recommendations related to Remote Desktop Services.
This Group Policy section is provided by the Group Policy template `PushToInstall.admx/adml` that is included with the Mic
accepted Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TerminalServer.admx/adml`
the structure that is included with all ve
of Windows benchmarks is consistent.
accepted **Note:**
This GroupThis section
Policy wasisinitially
section providednamed _Terminal
by the Services_
Group Policy but was
template renamed by Microsoft to _Remote
`TerminalServer.admx/adml` Desktop
that is included Service
with all ve
**Note:** This section was initially named _TS Licensing_ but was renamed by Microsoft to _RD Licensing_ starting with th
This section contains recommendations for the Remote
To establish Desktop Connection
the recommended Client.via GP, set the following UI path to `Ena
configuration
accepted This policy setting helps prevent Remote Desktop clients Navigate
from saving
to thepasswords
UI Path articulated
on a computer.
in the Remediation section and
This Group Policy section is provided``` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full The recommendedAn state
attacker
for this
with
setting
Computer
is: `Enabled`.
Configuration\Policies\Administrative
``` The passwordTemplates\Windows
saving checkbox Components\Re
will be
This section is intentionally blank and``` exists to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted **Note:**
This If this
section policy recommendations
contains setting was previously configured
for the Remote ```
as Disabled
Desktop or NotHost.
Session configured, any previously saved passwords wi
This Group Policy section is provided**Note:** This Group
by the Group Policy path
Policy template is provided by the Group Policy
`TerminalServer.admx/adml` that istemplate
included`TerminalS
with the M
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session H
Group Policy
This section section
contains is provided by for
recommendations theConnections
Group Policytotemplate `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included wit
accepted
Group setting
section
This policy Policy section
contains
preventsisusers
provided
recommendations
from bysharing
To the Group
related
establish tothe
the Policy
Remote
local template
Desktop
recommended
drives `TerminalServer.admx/adml`
Session
on their client Host
configuration Device
computers toand
via GP, set thethat
Resource
Remote is included
following
Desktop with
Redirection.
UI
Servers
path all
tothat
`Enave
th
accepted Navigate to the UI Path articulated in the Remediation section and
This Group Policy section is provided```
`\\TSClient\$` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full Data could be forwComputer Configuration\Policies\Administrative
``` Drive redirection
Templates\Windows
will not be possible
Components\Re
If local
This drivesisare
section shared they
intentionally are and
blank left```
vulnerable to intruders
exists to ensure HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the who want
structure to exploitbenchmarks
of Windows the data thatisisconsistent.
stored on them.
accepted ```
The recommended
This Group Policy
section section
state for
isblank
is intentionally this
provided
setting
and**Note:**
by is:
the
exists `Enabled`.
Group
to This
ensure Group
Policy template
Policy path
the structure `TerminalServer.admx/adml`
of is providedbenchmarks
Windows by the Group Policy
that istemplate
is consistent. included`TerminalS
with all ve
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TerminalServer.admx/adml`
the structure of Windows benchmarks is consistent. that is included with all ve
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _TS Connection
To establish Broker_ but
the recommended was renamed
configuration viabyGP, Microsoft to _RD Connection
set the following UI path to `Ena Brok
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Remote Desktop `TerminalServer.admx/adml`
Session Host Security. that is included with all ve
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
specifiesis whether
providedRemote
byestablish
To the Group
Computer Desktop Policy template `TerminalServer.admx/adml`
Configuration\Policies\Administrative
the Services
recommended always prompts thevia
configuration client set thethat
Templates\Windows
GP,computer forisaincluded
following password with
Components\Re
UI path to all
upon
`Enave
co
full This policy setting Users
allows have
you tothe opt``` whether RemoteNavigate
specify ``` the UI Users
DesktoptoServices Path cannot
requires
articulatedautomatically
secure inRemote log on tosection
the Remediation
Procedure Call (RPC)
and
The recommended state for this setting ``` is:
To `Enabled`.
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the recommended configuration via GP, set the following UI path to `Ena
full You can use this policy
Allowing
setting
unsecure **Note:**the
to strengthen
Computer This Group```ofPolicy path
to theisUI
provided
Configuration\Policies\Administrative
security ```
NavigateRPC communication Remote by
with the
Desktop Group thePolicy
Templates\Windows
clients
Path articulated inServices
by allowing template
accepts
Remediation only `TerminalS
Components\Re
authenticated
req
section and
This policy setting specifies whether to ```require the use of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
a specific encryption level to secure communications between clie
full The recommendedIfstateRemotefor this
Desktop **Note
setting #2:** In the ```
is: `Enabled`.
Computer Microsoft WindowsNone
Configuration\Policies\Administrative
``` Vista- Administrative
thisTemplates\Windows
is the default Templates,
behavior. this setting wa
Components\Re
The recommended
This section containsstate
recommendations **Note:**
for this setting
``` is: This
`Enabled:
related Group
High
to Remote Policy path is provided
Host by the Group
TimePolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Level`.
Desktop Session Session Limits.template `TerminalS
accepted ```
To establish the recommended configuration via GP, set the following UI path to `Disa
Group Policy
This section section
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Remote Desktop path is provided
Host by the Group
`TerminalServer.admx/adml`
Session Session TemporaryPolicy
that istemplate
included`TerminalS
folders. with all ve
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
specifiesis whether
providedRemote
byestablish
To the Group
Computer Desktop Policy template `TerminalServer.admx/adml`
Configuration\Policies\Administrative
the Services
recommended retains a user's per-session
configuration thethat
viaTemplates\Windows
GP, set temporary isfolders
followingincluded with
Components\Re
UI atpath to all
logoff. ve
`Disa
full By default, RemoteSensitive
Desktop informat
Services```creates a separate ```temporary
Navigate to the UI None
folder Path
on the- this is theindefault
articulated
RD Session theHost behavior.
Remediation
server for each sectionactive
ands
The recommended state for this setting ``` is: `Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
full To reclaim disk space,
Disabling
the temporary **Note:**
this set To
Computer
folder This
is deleted
establish Group
the ```
```Policy
recommended pathconfiguration
the user is provided
Configuration\Policies\Administrative
when logs off
Nonefrom by
- this
a the Group
viasession.
Templates\Windows
is
GP,thesetdefaultPolicy
the template
behavior.
following `TerminalS
Components\Re
UI path to `Ena
This section contains recommendations ``` related to RSS HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
feeds.
accepted The recommended state for this setting **Note
``` #2:** In older
is: `Disabled`. ``` Microsoft
Navigate Windows
to the UI Path Administrative
articulated inTemplates,
the Remediation this setting
section wasandna
Group setting
This policy Policy section
preventsistheprovided **Note:**
by the
user from
Computer
havingThis
Group Group Policy
Policy template path is provided
Configuration\Policies\Administrative
enclosures (file attachments) by the
`InetRes.admx/adml`
downloaded Group
that is Policy
Templates\Windows
from included
an RSS template
with
feed to`TerminalS
all versions
the user'so
Components\RS
full Allowing attachmen``` ``` Users cannot set the Feed Sync Engi
The recommended
This section containsstate for this setting
recommendations To is:
for`Enabled`.
Searchthe
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet
settings.
recommended configuration via GP, set the following UI path to `Disa
accepted **Note:** This Group ``` Policy path
Navigate to theisUI
provided by the Group
Path articulated in thePolicy templatesection
Remediation `InetRes.ad
and
Group setting
This policy Policy section
controlsiswhether
provided by the Group
encrypted
``` itemsPolicy template
are allowed `Search.admx/adml`
to be indexed. When thisthat is included
setting is changed,with alltheversions
index isofr
full **Note #2:**
Indexing and allowiComputer In older
``` Microsoft Windows
Configuration\Policies\Administrative
None Administrative Templates,
- thisTemplates\Windows
is the default this
behavior. setting was na
Components\Se
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of is providedbenchmarks
by the Group
`SearchOCR.admx/adml`
Windows Policy
isthat template
is only
consistent. included `Search.ad
with the
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `SecurityCenter.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Snis.admx/adml`
the structure that is only
of Windows benchmarks included with the Microso
is consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinInit.admx/adml`
the structure that is
of Windows benchmarks is included with all versions of
consistent.
accepted
This Group
sectionPolicy section
contains is provided by related
recommendations the Group Policy
to the template
Software `SmartCard.admx/adml`
Protection Platform. that is included with all version
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AVSValidationGP.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `SoundRec.admx/adml`
the structure of Windows benchmarksthat is included with all version
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Speech.admx/adml`
the structure that is
of Windows benchmarks is consistent.
included with the Microsoft
accepted
This Group Policy section is provided by the Group Policy template `WinStoreUI.admx/adml` that is included with the Micro
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SettingSync.admx/adml`
of Windows benchmarks is
that
consistent.
is included with the Micro
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Windows.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with all versions
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `TaskScheduler.admx/adml`
of Windows benchmarks is consistent.
that is included with all ver
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `TextInput.admx/adml`
of Windows benchmarksthat
is is
consistent.
only included with the Mic
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinCal.admx/adml`
the structure that is consistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsColorSystem.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
accepted This section contains recommendations related tothe
To establish Windows Defenderconfiguration
recommended Antivirus. via GP, set the following UI path to `Disa
This Group Policy section is provided by the Group Policy template `CEIPEnable.admx/adml` that is included with all versio
accepted This Group Policy section is provided``` by the Group Policy template
Navigate to `WindowsDefender.admx/adml`
the UI Path articulated in the Remediationthat is included with
section andall
This policy setting It
turns
is important
off Windows
to ensure
Computer
Defendera current,
Antivirus.
Configuration\Policies\Administrative
updated
If theantivirus
setting isproduct
configured
is scanning
toTemplates\Windows
Disabled,
each Windows
computerDefender
Components\Win
for malicious
Antiviru
file
full **Note:** This section was originally named ``` _Windows Defender_
``` but wasNone
renamed
- thisbyisMicrosoft
the default to behavior.
_Windows Defender An
The recommended
This Organizations
state forblank
section is intentionally this setting
that
and choose
is: `Disabled`.
exists totoensure
purchaseHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the astructure
reputableof 3rd-party
Windows antivirus
benchmarks solution may choose to exempt th
is consistent.
accepted **Note:** This Group ``` Policy path is provided by the Group Policy template `WindowsD
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure of Windows benchmarks is consistent. that is included with the
accepted **Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Microsoft template `WindowsDefender.admx/adml`
Active Protection
recommended Service
configuration (MAPS).
via GP, that is included
set the following with
UI path to the
`Disa
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
configuresis provided by the Group
a local override
``` for thePolicy templateto`WindowsDefender.admx/adml`
configuration join Microsoft Active Protection that is included
Service (MAPS), with the
whic
full The decision on whComputer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure theHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`WindowsDefender.admx/adml`
Windows benchmarks is It is provided by the Group
that is included
consistent. with the
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided
settings byReal-time
relatedTo
to the Groupthe
establish Policy template `WindowsDefender.admx/adml`
Protection.
recommended that is included
configuration via GP, set the following with
UI path to the
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
allows you by the
to configure
``` Group monitoring
behavior Policy template `WindowsDefender.admx/adml`
for Windows Defender Antivirus. that is included with the
full When running an an Computer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default configuratio
Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
to ensure the structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section
contains settings related**Note:**
is provided byWindows
to ThisDefender
the Group Group Policy
Policy template path may not exist by default. It is provided
`WindowsDefender.admx/adml`
Reporting. by the Group
that is included with the
accepted
Group Policy
This section section
contains is provided
settings relatedTobyWindows
to the Groupthe
establish Policy
Defender template `WindowsDefender.admx/adml`
scanning.
recommended that is included
configuration via GP, set the following UI path to with the
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
allows youis provided
to manage byestablish
```
To the Groupor
whether Policy
thenot to template `WindowsDefender.admx/adml`
scan for malicious
recommended software
configuration andset
via GP, unwanted that is included
software
the following with
in theto
UI path the
conte
`Ena
full It is important to Computer Configuration\Policies\Administrative
```
Navigate to the UI Removable Templates\Windows
drives
Path articulated in will
the be scannedComponents\Win
Remediation du
section and
The recommended
This state for
policy setting allows youthis setting
``` is: e-mail
to configure `Enabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
scanning. When e-mail scanning is enabled, the engine will parse the mai
full ```
Incoming e-mails sComputer Configuration\Policies\Administrative
``` E-mail scanning
Templates\Windows
by Windows DefenderComponents\Win
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Enabled`.
exists Group
ensure Policy path
of may not exist by default.
is It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure Windows benchmarks consistent.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`WindowsDefender.admx/adml`
Windows benchmarks is It is provided by the Group
that is included
consistent. with the
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AppHVSI.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `ExploitGuard.admx/adml`
the structure of Windows benchmarks isthat is included with the Micr
consistent.
accepted
This Group
sectionPolicy section
contains is provided
Windows by the
Defender Group Policy
SmartScreen template `WindowsDefenderSecurityCenter.admx/adml` that is in
settings.
accepted To establish the recommended configuration via GP, set the following UI path to `Ena
This Group
sectionPolicy section
contains is provided by for
recommendations theExplorer-related
Group Policy template
Windows `SmartScreen.admx/adml` that is included with the Mic
Defender SmartScreen settings.
Navigate to the UI Path articulated in the Remediation section and
accepted ```
The Group
This Policy settings
policy setting contained
allows you within
to manage thethis
Computer section
behavior ofare provided by the GroupWindows
Configuration\Policies\Administrative
Windows SmartScreen. Policy template
Templates\Windows
SmartScreen`WindowsExplorer.admx
helps
Components\Win
keep PCs s
```
full Windows SmartScre ``` Users will be warned before they ar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
The recommended
This section containsstate for this setting
recommendations To is: `Enabled:
related
establishtothe Warn
Windows and prevent
Error
recommended bypass`. via GP, set the following UI path to `Disa
Reporting.
configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted **Note:** This Group Policy path
Navigate to themay not exist
UI Path by default.
articulated in theIt Remediation
is provided bysection
the Group
and
```
Group setting
This policy Policy section
controlsiswhether
provided by the Group
memory
``` dumps Policy template
in support `ErrorReporting.admx/adml`
of OS-generated error reports canthat is included
be sent with allautom
to Microsoft ver
full Memory dumps may **Note #2:**
Computer In older```Microsoft Windows Administrative
Configuration\Policies\Administrative
All memory dumpsTemplates,
Templates\Windows
are uploaded this setting was ini
Components\Win
accord
The recommended state for this setting ``` is: `Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
```
**Note:** This Group Policy path may not exist by default. It is provided by the Group
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
contains
section
recommendations
is providedTo byestablish
related
the Grouptothe
Windows
Policy template
Error Reporting
recommended `ErrorReporting.admx/adml`
consent.
configuration via GP, set thethat is included
following withtoall
UI path ver
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This setting
Group Policy
allowssection
you to set
is provided
the default
```
by consent
the Group handling
Policy template
for error reports.
`ErrorReporting.admx/adml` that is included with all ver
full Error reports may Computer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\Win
The recommended
This section is intentionally
state forblank
this setting
and```exists
is: `Enabled:
to ensureAlways
the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure
ask before
of Windows
sendingbenchmarks
data` is consistent.
accepted This section is intentionally blank and exists to ensure the ``` structure of Windows benchmarks is consistent.
This Group Policy section is provided**Note:**
by the GroupThis Group Policy path
Policy template is provided by the Group
`GameDVR.admx/adml` thatPolicy template
is included with`ErrorRepo
the Micros
accepted This Group Policy section is provided by the Group Policy template `Passport.admx/adml` that is included with the Microso
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
**Note:** This section was initially named _Microsoft
To establish thePassport
recommended for Work_ but was renamed
configuration via GP, set by Microsoft
the following to _Windows
UI path to Hello
`Disa
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `WindowsInkWorkspace.admx/adml` that is included w
Installer.
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group Policy
This setting controlssection is provided
whether users
or not arebypermitted
Windows
To the Group
Computer
establish Policy
Installer
the template
recommended
should `MSI.admx/adml`
Configuration\Policies\Administrative
to change installation
use system options
configurationthatvia
permissions that
GP,
whenisset
typically included
Templates\Windows
itare
the with
any all
available
installs
following UIversions
only
Components\Win
to system
program
path on of
thethe
to `Disaas
full In an enterprise m ``` ```
Navigate to the UI None - this is theindefault
Path articulated behavior. section and
the Remediation
The recommended
**Note:** This settingstate for this
appears setting
both in```
theis:Computer
`Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration and User Configuration folders. To make this setting effe
full **Note:** This
Users with limited Computer Group
```
```Policy path is provided
Configuration\Policies\Administrative by the
None - this Group
Templates\Windows
is the default Policy template
behavior. `MSI.admx
Components\Win
**Caution:**
This section If enabled,
contains skilled users can
recommendations ``` establish
To take advantage
related tothe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Windows of the permissions
Logon
recommended
Navigate to Options.
the thisarticulated
configuration
UI Path setting
via GP,grants
set
in the to Remediation
the change
following their privileges
UI path
section an
to `Disa
and
accepted **Note #2:** In older ``` Microsoft Windows Administrative Templates, this setting was na
The recommended
This Group setting
policy Policy section
state for
controls iswhether
this
provided
setting
**Note:**
byis:
a``` the
device `Disabled`.
Group
This
will Group
Policy template
Policy
automatically
This grouppath
`WinLogon.admx/adml`
sign-in is provided
policy
the setting isby the Group
last interactive
backed user
bythat Policy
isfollowing
after
the included
template
Windows with `MSI.admx
all versions
registry
Update location
restar
full Disabling this fea Computer Configuration\Policies\Administrative The deviceTemplates\Windows
does no Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the ```structure of Windows benchmarks is consistent.
accepted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensure Group
``` structure
Policy
the Policy path
template of may not exist by default.
`WindowsMail.admx/adml`
Windows benchmarks It
is that is is
provided by the with
only included
consistent. Groupthe
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MediaCenter.admx/adml`
the structure of Windows benchmarks isthat is only included with the
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMediaDRM.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMediaPlayer.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsCollaboration.admx/adml`
the structure that is only include
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMessenger.admx/adml`
the structure that is included with a
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MobilePCMobilityCenter.admx/adml`
the structure of Windows benchmarks is consistent.that is included w
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Windows template `MovieMaker.admx/adml`
configuration via GP, set that
PowerShell.
recommended is only included
the following UI pathwith the
to `Disa
accepted This policy setting enables logging of all PowerShell script Navigate
input totothe
theMicrosoft-Windows-PowerShell/Operational
UI Path articulated in the Remediation section event
andlo
This Group Policy section is providedTo byestablish
``` the GroupthePolicy template `PowerShellExecutionPolicy.admx/adml`
recommended configuration via GP, set the following UIthat is to
path include
`Disa
full The recommendedThere state are
for this
potentia
setting
Computer
is: `Disabled`.
Configuration\Policies\Administrative
```
Navigate to the UI Logging of Templates\Windows
PowerShell
Path articulated script input
in the Remediation Components\Win
issection and
This Policy setting lets you capture the ```input and output HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
of Windows PowerShell commands into text-based transcripts.
full **Note:** In Microsoft's
If thisown hardening
setting is guidance,
Computer they recommend the opposite
None value,
Configuration\Policies\Administrative
``` is`Enabled`,
the defaultbecause
- thisTemplates\Windows behavior.having this data
Components\Win
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This Group
is: `Disabled`.
exists ensure Policy path of may not exist by default.is It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure Windows benchmarks consistent.
accepted ```
Group Policy
This section section
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Windows Remotepath may not exist(WinRM).
by default.that
`RacWmiProv.admx/adml`
Management It is is
provided
includedbywith
the the
Group
Mic
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
the template
Windows
recommended `WindowsRemoteManagement.admx/adml`
Remote Management
configuration (WinRM)
via GP, set theclient.
following UI path thattois`Disa
inclu
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
allows you to managebyestablish
```
To the Groupthe
whether Policy
Windowstemplate
recommended `WindowsRemoteManagement.admx/adml`
Remote Management
configuration via (WinRM)
GP, set the client uses Basic
following UI paththattois`Disa
inclu
authentica
full Basic authenticati Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\Windows
is theindefault
Path articulated behavior.
the Remediation Components\Win
section and
The recommended
This state for
policy setting allows youthis setting
``` is:
to manage
To `Disabled`.
whether
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the Windows
recommended Remote Management
configuration via (WinRM)
GP, set the client sendsUI
following and receives
path to `Enau
full Encrypting WinRMComputer
n ```
Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\Windows
is theindefault
Path articulated behavior.
the Remediation Components\Win
section and
The recommended
This state for
policy setting allows youthis **Note:**
setting
to manage
``` Thisthe
is:whether
`Disabled`.Group PolicyRemote
path is Management
provided by the Group client
Policywill
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Windows (WinRM) template
not use`WindowsR
Digest au
full ```
Digest authenticat Computer Configuration\Policies\Administrative
``` The WinRMTemplates\Windows
client will not use Digest
Components\Win
The recommended
This section contains state
recommendations **Note:**
for this setting
```
To is:
related This
`Enabled`.
establishtotheGroup
the PolicyRemote
pathconfiguration
is provided by
viathe Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Windows
recommended Management (WinRM)
GP, set theservice.template
following UI path`WindowsR
to `Disa
accepted ```
Navigate to the UI Path articulated in the Remediation section and
This Group Policy section
policy setting is provided
allows you **Note:**
to managebyestablish
```
To the
whetherThisthe
Group Group
Policy
WindowsPolicyRemote
template
recommended path is Management
provided by viathe Group
`WindowsRemoteManagement.admx/adml`
configuration (WinRM)
GP, Policy
service
set the template
accepts
following UI path`WindowsR
thattois`Disa
Basic inclu
authe
full Basic authenticati Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\Windows
is theindefault
Path articulated behavior.
the Remediation Components\Win
section and
The
This recommended state for
policy setting allows youthis setting
```
To is:
to manage `Disabled`.
whether
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the Windows
recommended Remote Management
configuration via (WinRM)
GP, set the service sends
following UI and
pathreceives
to `Ena
full This policy setting Encrypting
allows you to WinRM Computer
managen whether ```
Configuration\Policies\Administrative
```
the Windows
Navigate Remote
to the UI None
Management- thisTemplates\Windows
is
Path articulated theindefault
(WinRM) behavior.
theservice willComponents\Win
Remediation allowsection
RunAs andcre
The recommended state for this setting **Note:**
``` This Group
is: `Disabled`. Policy path is provided by the Groupwill
Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
The WinRM service template
not allow the `WindowsR
RunAsUse
full The recommendedAlthough
state for the
thisabili
setting
Computer
is: `Enabled`. ```
Configuration\Policies\Administrative
``` Templates\Windows Components\Win
This section contains settings related``` **Note:**
to Windows ThisRemote
Group Policy path is provided by theisGroup Policy template
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Shell (WinRS). If this setting later Disabled again, any`WindowsR
values
accepted **Note:** If you enable and then disable this policy setting, ``` any values that were previously configured for RunAsPassword
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of may not exist by default.
`WindowsRemoteShell.admx/adml`
Windows benchmarks is It is provided
consistent.that isbyincluded
the Group with
accepted
This Group Policy section is provided by the Group Policy template `SideShow.admx/adml` that is only included with the M
This policy setting specifies whether computers in your environment will receive security updates from Windows Update or
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Upda
accepted
This section
Group Policy
containssection
recommendations
is providedTo byestablish
related
the Group tothe
Windows
Policy template
Update.`SystemResourceManager.admx/adml`
recommended configuration via GP, set the following UI that is only
path incl
to `Ena
- 2 - Notify for download and auto install _(Notify before downloading any updates)_
accepted Navigate to the UI Path articulated in the Remediation section and
- 3 - Auto download and notify for install _(Download the updates automatically and notify when they are ready to be install
This Group Policy section is providedTo ```
byestablish
the Groupthe Policy template `WindowsUpdate.admx/adml`
recommended configuration via GP, set the followingthat is included
UI pathwith
to `0all-vE
- 4 - Auto download and schedule the install _(Automatically download updates and install them on the schedule specified
full This policy setting Although each vers
specifies when Computer
computers
To in Configuration\Policies\Administrative
establish your ```
theenvironment
Navigate
recommended to
will
the UI Critical
receive
Path operating
viaTemplates\Windows
security
configuration articulated insystem
updates
GP, setthefrom
the updates
Remediation
Windows
following Components\Win
and
UI Update
section
path to or
and
`DisaW
- 5 - Allow local admin to choose setting _(Leave decision on above choices up to the local Administrators (Not Recommen
``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
full The recommended
This policy setting Although
state for that
specifies each
this Automatic
setting
vers```
Computer
is: `0 - Every
UpdatesConfiguration\Policies\Administrative
day`.
will ```
``` for computers
Navigate
wait to the UI IfPath
to`4be
- articulated
Auto Templates\Windows
download
restarted by theand
in the schedule
Remediation
users who Components\Win
th
aresection
loggedand on
The recommended state for this setting is: `Enabled`.
**Note:** This
```
Computer Group Policy path is provided by the
Configuration\Policies\Administrative Group Policy template
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Templates\Windows `WindowsU
Components\Win
full **Note:**
The
This recommended
This
section is setting
Some
state
is only
security
forblank
intentionally this
applicable
setting
upda
and``` ifis:`4`Disabled`.
exists -toAuto download
ensure the```
```structure
and schedule None
of Windowsthe install`
- this is
is the
benchmarks selected
defaultinbehavior.
Rule 18.9.101.2. It will
is consistent.
**Note:** The sub-setting "_Configure automatic updating:_" has 4 possible values – all of them are valid depending on spe
**Note:** This Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided by the Group Policy template `WindowsU
**Note:**
This GroupThis
Policy
setting
section
applies
is provided
only when
**Note:**
by you the Group
configure
This Group
Policy
Automatic
``` template
Policy path
Updates
`WindowsUpdate.admx/adml`
is provided
to performby the
scheduled
Group Policy
update
that template
isinstallations.
included`WindowsU
withIf the
youM
**Note #2:** Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting,
accepted **Note:**
This section
Thiscontains
section user-based **Note #2:** Windows
was initiallyrecommendations
named _Defer In older Microsoft
from Group
Updates_ Windows
Policy
but was Administrative
Administrative Templates,
renamedTemplates
by Microsoft
(ADMX). this setting
to _Windows was inif
Update
This section contains recommendations for Control Panel settings.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AddRemovePrograms.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
accepted This section contains recommendations for personalization settings.
This Group Policy section is providedTo byestablish
the Groupthe Policy template `ControlPanelDisplay.admx/adml`
recommended configuration via GP, set the following that isUIincluded
path to with
`Ena
accepted This Group Policy section is provided by the Group Policy template
Navigate to `ControlPanelDisplay.admx/adml`
the UI Path articulated in the Remediation that is included
section with
and
This policy setting enables/disables the ``` use
To of desktop
establish screen savers.
the recommended configuration via GP, set the following UI path to `Ena
full **Note:**
This policyThis section
setting If a was
user initially
specifies forgets named
t User
the screen _Desktop
saver for the Themes_ buttowas
therenamed
Configuration\Policies\Administrative
``` desktop.
user's
Navigate UI A by Microsoft
screen
Path in to
Templates\Control
saver runs,
articulated _Personalization_
theprovided starting
Panel\Personalization\E
that thsection
Remediation and w
The recommended state for this setting ``` is:
To `Enabled`.
establish HKEY_USERS\[USER
the recommended SID]\SOFTWARE\Policies\Microsoft\Window
configuration via GP, set the following UI path to `Ena
full The recommended
This setting specifies Ifstate
ahow
user
forforgets
this user
much setting
t Useris:time
idle ```
Configuration\Policies\Administrative
`Enabled: scrnsave.scr`.
``` beforetothe
Navigate
must elapse UI The
thescreenPath system
Templates\Control
displays
articulated
saver in thethe
is launched. Panel\Personalization\F
specified scsection and
Remediation
This setting determines whether screen **Note:**
```
To savers This
establishused Group
the on thePolicy pathconfiguration
HKEY_USERS\[USER
computer
recommended maypassword
are not exist by default.
protected.
via GP, It isfollowing
set the providedUIbypath
SID]\SOFTWARE\Policies\Microsoft\Window the to
Group
`Ena
full **Note:**
The If the specified
recommended Ifstate screen
a user this saver
forforgets isis:
t User
setting not installed 900
onNavigate
```
aseconds
computer to which
Configuration\Policies\Administrative
`Enabled: ``` toorthe UI All
fewer, this setting
screen
Path
but applies,
Templates\Control
savers
articulated
not 0`. inare the
thepassword setting is section
ignored.and
Panel\Personalization\P
Remediation prote
The recommended state for this setting **Note:**
``` This Group
is: `Enabled`. Policy path may not exist
HKEY_USERS\[USER by default. It is provided by the Group
SID]\SOFTWARE\Policies\Microsoft\Window
full **Note:** This setting If a has
usernoforgets
effect tunder
Userthe ```
Configuration\Policies\Administrative
following circumstances:
``` The screen
Templates\Control
saver will automatically
Panel\Personalization\S
a
This section is intentionally blank and``` **Note:**
exists to This Group
ensure Policy path
of is
HKEY_USERS\[USER
the structure provided
Windows by the Group Policy template `ControlPa
SID]\SOFTWARE\Policies\Microsoft\Window
benchmarks is consistent.
accepted - The wait time is set to zero. ```
- Thesection
This "Enable
Group isScreen
Policy Saver"
section
intentionally setting
isblank andis
provided **Note:**
bydisabled.
the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist
`Windows.admx/adml`
Windows by default.
benchmarks that It
is is is provided
included
consistent. withbyall
theversions
Group
accepted - A valid screen existing saver is not selected manually or via the "Screen saver executable name" setting
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure of Windows benchmarks that
is is included with all versions
consistent.
accepted
Group Policy
This section section
contains is provided by for
recommendations theStart
Group Policy
Menu andtemplate
Taskbar`SharedFolders.admx/adml`
settings. that is included with all ver
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
theNotification
for Groupthe
Policy template `Windows.admx/adml`
settings.
recommended thatthe
configuration via GP, set is included
followingwith all versions
UI path to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
turns offistoast
provided by the Group
notifications
``` on thePolicy template `WPN.admx/adml` that is included with the Microsoft W
lock screen.
full While this feature User Configuration\Policies\Administrative
``` Applications
Templates\Start
will not beMenu
able to
andraise
Taskbar\Notific
The recommended
This section containsstate for this setting
recommendations ``` isfor`Enabled`. HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\Window
System settings.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by
existsthe to This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`Windows.admx/adml`
Windows benchmarks that It
is is is provided
included
consistent. byall
with theversions
Group
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CtrlAltDel.admx/adml`
the structure of Windows benchmarks that is included with all versions
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceInstallation.admx/adml`
the structure that is included with all
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FolderRedirection.admx/adml`
the structure that is included with all
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Internet `GroupPolicy.admx/adml`
Communication Management. that is included with all versio
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Internet `Windows.admx/adml`
Communication settings. that is included with all versions
accepted
Group Policy
This section section
contains is provided by for
recommendations theWindows
Group Policy templatesettings.
Component `Windows.admx/adml` that is included with all versions
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
accepted This Group Policy section is provided by the Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AppXRuntime.admx/adml`
the structure that is included with the Mic
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe template
Attachment `AppCompat.admx/adml`
Manager.
recommended configuration via GP, setthatthe is included
following UIwith
pathalltoversio
`Disa
accepted This policy setting allows you to manage whether Windows Navigate
markstofile
theattachments
UI Path articulated
with information
in the Remediation
about their section
zone ofand orig
This Group Policy section is provided``` by the Group Policy template `AttachmentManager.admx/adml` that is included with a
full The recommendedAstate file that
for this
is dow
setting
Useris: Configuration\Policies\Administrative
`Disabled`. ``` None Templates\Windows
- this is the default behavior.
Components\Attachm
``` HKEY_USERS\[USER SID]\SOFTWARE\Microsoft\Windows\Curre
**Note:** The Attachment Manager feature warns users``` when opening or executing files which are marked as being from a
**Note:** This Group Policy path is provided by the Group Policy template `Attachmen
To establish the recommended configuration via GP, set the following UI path to `Ena
This policy setting manages the behavior for notifying registered
Navigate antivirus
to the UIprograms.
Path articulated
If multiple
in theprograms
Remediation
are registered,
section andthe
```
full The recommendedAntivirus
state forprograms
this setting
Useris: Configuration\Policies\Administrative
`Enabled`. ``` Windows
Templates\Windows
tells the registered Components\Attachm
antiviru
This section is intentionally blank and```exists to ensure theHKEY_USERS\[USER
structure of WindowsSID]\SOFTWARE\Microsoft\Windows\Curre
benchmarks is consistent.
accepted **Note:** An updated antivirus program must be installed ```for this policy setting to function properly.
This section
Group Policy
is intentionally
section isblank and**Note:**
provided by
exists
the to This
Group Group
ensure
Policy Policy path
the structure
template of is providedbenchmarks
by the Group
`AutoPlay.admx/adml`
Windows that Policy
is is template
consistent.
included `Attachmen
with all versions
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `UserDataBackup.admx/adml`
of Windows benchmarks is consistent.
that is included only with
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `CloudContent.admx/adml`
of Windows benchmarks is consistent.
that is included with the Mic
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CredUI.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DataCollection.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sidebar.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DWM.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of t
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DigitalLocker.admx/adml`
the structure of Windows benchmarks isthat is included with all versi
consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `EdgeUI.admx/adml` that is included with the Microsoft
accepted This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting wi
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FileRevocation.admx/adml`
the structure that is included with the M
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `EAIME.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CaptureWizard.admx/adml`
the structure that is only included with t
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WordWheel.admx/adml`
the structure that
of Windows benchmarks is is included with all versio
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `InetRes.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sensors.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsof
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MicrosoftEdge.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MMC.admx/adml`
the structure that is is
of Windows benchmarks included with all versions of t
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserExperienceVirtualization.admx/adml`
the structure of Windows benchmarks is consistent. that is includ
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Conf.admx/adml`
the structure that is included
of Windows benchmarks with all versions of th
is consistent.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Network template
Sharing.`NetworkProjection.admx/adml`
recommended that is only
configuration via GP, set the following included
UI path to `Ena wi
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
determines whether by
``` the Group
users Policy
can share template
files `Sharing.admx/adml`
within their profile. By default,that is included
users with to
are allowed allshare
versions
fileso
full If not properly co User Configuration\Policies\Administrative
``` UsersTemplates\Windows
cannot share files within
Components\Network
their
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists HKEY_USERS\[USER
to ensure the structure of WindowsSID]\SOFTWARE\Microsoft\Windows\Curre
benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the ``` structure of Windows benchmarks is consistent.
This Group Policy section is provided**Note:**
by the GroupThis Group Policy path
Policy template is provided by the Group Policy template `Sharing.ad
`MobilePCPresentationSettings.admx/adml` that is inclu
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Terminal Services_ but was renamed by Microsoft to _Remote Desktop Service
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `InetRes.admx/adml`
the structure of Windows benchmarks thatisisconsistent.
included with all versions o
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Search.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft
consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `SoundRec.admx/adml`
the structure of Windows benchmarksthat is included with all version
is consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinStoreUI.admx/adml`
the structure of Windows benchmarks that is included with the Micro
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TaskScheduler.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinCal.admx/adml`
the structure that is consistent.
of Windows benchmarks included with all versions o
accepted
This Group Policy section is provided by the Group Policy template `WindowsColorSystem.admx/adml` that is included with
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensurePolicy
the structure
template `SmartScreen.admx/adml`
of Windows benchmarks isthat consistent.
is included with the Mic
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `ErrorReporting.admx/adml` that is included with all ver
accepted This Group Policy section is provided by the Group Policy template `Passport.admx/adml` that is included with the Microso
section controls
This setting containswhether
recommendations
or not Windowsrelated
To establish tothe
Windows
Installer shouldInstaller.
recommended
use system
configuration
permissionsvia GP,
when setit the
installs
following
any program
UI path onto `Disa
the s
accepted **Note:** This section was initially named _Microsoft Passport Navigate forto
Work_
the UIbut was
Path renamed in
articulated bytheMicrosoft to _Windows
Remediation sectionHello
and
This Group
**Note:** This
Policy
setting
section
appears
is provided
both in```
by
thetheComputer
Group Policy
Configuration
templateand`MSI.admx/adml`
User Configurationthat isfolders.
included To with
makeallthis
versions
settingofeffe
the
full Users with limited User Configuration\Policies\Administrative
``` None Templates\Windows
- this is the default behavior.
Components\Window
**Caution:**
This section If
is enabled, skilled
intentionally users
blank andcan
``` taketoadvantage
exists ensure the HKEY_USERS\[USER
ofstructure
the permissions
of WindowsthisSID]\SOFTWARE\Policies\Microsoft\Window
setting grantsisto
benchmarks change their privileges an
consistent.
accepted ```
The recommended
This Group Policy
section section
state for
is intentionally isblank
this
provided
setting
and**Note:**
by is:
the
exists `Disabled`.
Group
to This
ensureGroup
Policy template
Policy path
the structure `WinLogon.admx/adml`
of is providedbenchmarks
Windows by the Group that Policy
is included
template
is consistent. with `MSI.admx
all versions
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMail.admx/adml`
the structure of Windows benchmarks is that is only included with the
consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `MediaCenter.admx/adml` that is only included with the
Media Player.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMediaPlayer.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `WindowsMediaPlayer.admx/adml`
Media Player playback. that is included with
accepted
This Group Policy section is provided by the Group Policy template `WindowsMediaPlayer.admx/adml` that is included with
notes CIS controls CCE-ID references
urthe
organization
use of ALTuses
key character
either the combinations
TITLE:Ensure
can
Work
greatly
CCE-36286-3
enhance the complexity of a password. However, such stringent password requirements can result
sugh it may
policy seem
setting like a good
is enabled, idea
TITLE:Configure
a locked-out ACCE-37034-6
account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setti
benchmarks is consistent.
uost casesthis
revoke there willright,
user be nonoimpactTITLE:Minimize AnCCE-35823-4
one will be able to debug programs. However, typical circumstances rarely require this capability on production computers. If a p
us configure
that are used to manage
the **Deny processes
access will be unable
toTITLE:Account to affect processes that are not owned by the person who runs the tools. For example, the Windows Se
MoCCE-37954-5
u assign the **Deny log on as a batch job** user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to
TITLE:Account MoCCE-36923-1
xample, if you assign this user right to the `IWAM_`_(ComputerName)_ account, the MSM Management Point will fail. On a newly installed computer that r
u assign the **Deny log on as a TITLE:Account MoCCE-36877-9
benchmarks is consistent.
ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled.
ons from clients running versions TITLE:Data
of WindowsProte
earlier
CCE-36142-8
than Windows NT 4.0 with SP6a will be disabled.
ability to authenticate other domains' users from a Domain Controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted do
e - this is the default behavior. TITLE:Data Prote CCE-37130-2
can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and Domain Controllers f
e - this is the default behavior. TITLE:Data Prote CCE-37222-7
rcing
- thisthis
eWindows setting
2000
is the on computers
Server,
default Windowsused
behavior. 2000 byProfessional,
people who must log onto
Windows multiple
Server 2003,computers
Windows XP in order to perform
Professional andtheir duties Vista
Windows couldimplementations
be frustrating andoflower product
the SMB file
TITLE:Data Prote CCE-36325-9
ementation
Windows 2000 of SMB signing
Server, may negatively
Windows affect performance,
2000 Professional, because
Windows Server each
2003, packet needs
Windows to be signed
XP Professional and
and verified.Vista
Windows If these settings are enabled
implementations on afile
of the SMB ser
TITLE:Data Prote CCE-36269-9
n -SMB
ementation
e this issigning policies
theofdefault
SMB are may
signing enabled
behavior. on Domain
negatively affectControllers running
performance, Windows
because eachServer
packet2003
needs and member
to be signedcomputers running
and verified. Windows
If these settingsVista SP1 or Windows
are enabled on a ser
TITLE:Data Prote CCE-37863-8
n very
e SMBold signing policies and
applications are enabled
operatingonsystems
Domainsuch
Controllers running
as MS-DOS, Windows
Windows forServer 2003 and
Workgroups member
3.11, computers
and Windows 95arunning
may notWindows
be able toVista SP1 or Windows
communicate with th
Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing.
e will be little impact because SMTITLE:Secure ConfCCE-38046-9
Windows network
Microsoft 2000 Server,
serverWindows 2000 Professional,
will negotiate Windows
SMB packet signing as Server 2003,
requested by Windows
the client.XP Professional
That is, if packetand Windows
signing Vistaenabled
has been implementations of the
on the client, SMB sign
packet file
TITLE:Data Prote CCE-37864-6
ementation
Windows 2000 of SMB signing
Server, may negatively
Windows affect performance,
2000 Professional, because
Windows Server each
2003, packet needs
Windows to be signed
XP Professional and
and verified.Vista
Windows If these settings are enabled
implementations on afile
of the SMB ser
TITLE:Data Prote CCE-35988-5
n SMB signing
ementation policies
of SMB are may
signing enabled on Domain
negatively affectControllers running
performance, Windows
because eachServer
packet2003
needsand member
to be signedcomputers running
and verified. Windows
If these settingsVista SP1 or Windows
are enabled on a ser
e - this is the default behavior. I TITLE:Account MoCCE-37972-7
n SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows
esession
- this isaccess over behavior.
the default null sessio TITLE:Implement
If you NCCE-38258-0
choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipe
e - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Mic
MNAP: SNA session access TITLE:Controlled CCE-37194-8
e:**
eMNODE: If you
- this want
is the
SNA to allow
default remote
behavior.
session access access, ifyou
However, youmust alsothe
remove enable theregistry
default Remotepaths
Registry
fromservice.
the list of accessible ones, remote management tools such as the Mic
L\\QUERY: SQL instance accessTITLE:Controlled CCE-36347-3
e:** If you
OOLSS: want to
Spooler allow remote access, you must also enable the Remote Registry service.
service
SRPC: License Logging service TITLE:Controlled CCE-36021-4
TLOGON: Net Logon service
ARPC:
e - this isLSAtheaccess
default behavior. TITLE:Controlled CCE-38095-6
MR: Remote access to SAM objects
eOWSER: Computer
- this is the default Browser service
configurat TITLE:Controlled CCE-37623-6
ous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increas
ces running as Local System thaTITLE:Account MoCCE-38341-4
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
e - this is the default behavior. TITLE:Leverage Hos
CCE-36062-8
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
nt audit policy.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
gs.
nelDisplay.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
u enable this setting, users will no longer be abl CCE-38347-1
dmx/adml`
ecurity that is included with LAPS.
Guide.
you enable SEHOP, existing verTITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
y.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/sec
e - this is the default behavior. TITLE:Account MoCCE-37067-6
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
erCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
cy.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
consistent.
h.admx/adml` that
benchmarks is is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
rver.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
orkstation.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
ings.
TopologyDiscovery.admx/adml`
Services settings. that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat
is consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
onnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot create or configure a NTITLE:Minimize AnCCE-38002-2
rewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
olation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
s.admx/adml`
benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
eOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
onnectNow.admx/adml`
ngs. that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
e - this is the default behavior. TITLE:Boundary CCE-38338-0
benchmarks is consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
dmx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
gs.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default behavior. TITLE:Encrypt/Hash
CCE-36925-6
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
host will support the _Restric TITLE:Account Monitoring and Control CONTROL:16 DESCRIPTION:Account Monitoring and Control;
benchmarks is consistent.
ard.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
allation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
irection.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
che.admx/adml`
benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat
is consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
mx/adml`
benchmarks
that is
is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
mx/adml`
benchmarks
that is
is included
consistent.
with all versions of the Microsoft Windows Administrative Templates.
allation.admx/adml`
ation settings. that is included with all versions of the Microsoft Windows Administrative Templates.
chAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
e - this is the default behavior. TITLE:Malware D CCE-37912-3
benchmarks is consistent.
Storage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
VSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks is consistent.
benchmarks is consistent.
rVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
rection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
tings.
cy.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
p Policies will be reapplied eve TITLE:Deploy SystCCE-36169-1
cyPreferences.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
nagement.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ngs.
dmx/adml`
drivers thatbe
cannot is included
downloadedwithover
all versions
HTTP. of the Microsoft Windows Administrative Templates.
TITLE:Inventory CCE-36625-2
e:** This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading
ows is prevented from downloadin TITLE:Email and CCE-36096-6
client computer will not be able to print to Internet printers over HTTP.
TITLE:Assess DataCCE-36920-7
e:** This policy
benchmarks is setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing serve
consistent.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
on.admx/adml`
creen. that is included with all versions of the Microsoft Windows Administrative Templates.
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
PC's network connectivity state TITLE:Controlled CCE-38353-9
cy.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
dmx/adml`
benchmarks
that
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat
is is
consistent.
included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
CPL.admx/adml`
benchmarks is consistent.
that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
mx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
mode.
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Ensure Work CCE-36881-1
dmx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
sistance.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Limit Open CCE-36388-7
eStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
alth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
benchmarks is consistent.
store.admx/adml`
stics. that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ery.admx/adml`
benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ostic.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
x/adml`
ostic that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Tool.
covery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
admx/adml`
benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
dmx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
ceDiagnostics.admx/adml`
benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
ostic.admx/adml`
rack. that is included with all versions of the Microsoft Windows Administrative Templates.
cePerftrack.admx/adml`
benchmarks is consistent.
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
es.admx/adml`
benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
leProtection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
dmx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
y.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
me.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ows Store apps that typically requ
TITLE:Configure AcCCE-38354-7
benchmarks is consistent.
at.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Play will not be allowed for MTP TITLE:Limit Use OCCE-37636-8
ackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Administrative Templates (except for the
benchmarks is consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
cryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
dmx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ent.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
benchmarks is consistent.
splay.admx/adml`
. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
password reveal button will not TITLE:Account MoCCE-37534-5
dmx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
ptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
x/adml`
benchmarks
that isisincluded
consistent.
with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
mpat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Join.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks
igation is consistent.
Experience Toolkit (EMET).
by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
er.admx/adml`
benchmarks
mx/adml` that isisincluded
that
consistent.
is included with all versions
with Microsoft EMET. of the Microsoft Windows Administrative Templates.
mx/adml`
ws that is to
an enterprise included with the
apply exploit Microsoft to
mitigations Windows 8.1 &that
applications Server
run 2012 R2 Administrative
on Windows. Templates
Many of these (or newer).
mitigations were later coded directly into Windows 10 and S
Windows server OSes prior to Server 2016, it is highly recommended that compatibility testing is done on typical server configurations (including all CIS-reco
nel\Program\Programs and Featu TITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
we only recommend using it with 64-bit OSes.
advanced mitigations available inTITLE:Enable AntiCCE-38427-1
July 31, 2018. This does not mean the software will stop working, only that Microsoft will not update it any further past that date, nor troubleshoot new prob
T mitigations will be applied to I TITLE:Enable AntiCCE-38428-9
arding.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
admx/adml`
og. that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-37775-4
information unless the retention method for each is set so that the computer will overwrite the oldest ent
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-37145-0
information unless the retention method for each is set so that the computer will overwrite the oldest ent
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-38276-2
information unless the retention method for each is set so that the computer will overwrite the oldest ent
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-36160-0
information unless the retention method for each is set so that the computer will overwrite the oldest ent
dxplorer.admx/adml`
by Microsoft to _Family
that isSafety_ starting
included with allwith the Microsoft
versions WindowsWindows
of the Microsoft 8.0 & Server 2012 (non-R2)
Administrative Administrative Templates.
Templates.
ed- by
thisMicrosoft to _File
is the default Explorer_TITLE:Enable
behavior. starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
AntiCCE-37809-1
ersions.admx/adml`
benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat
is consistent.
is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
mx/adml`
benchmarks
that is
is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
orer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
g.admx/adml` that
benchmarks is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
zard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administrative Templates.
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
dml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
oviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
consistent.
x/adml` that is is
benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
is consistent.
dge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
dmx/adml` that
benchmarks is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
dential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
benchmarks is consistent.
ienceVirtualization.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
c.admx/adml` that
benchmarks is is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administr
consistent.
ojection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Tem
up Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
s can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the `WinRT` API. OneDrive doesn't appe
osoft to _OneDrive_ starting withTITLE:Data
the Microsoft Windows
Prote 10 RTM (Release 1507) Administrative Templates.
CCE-36939-7
se:** If your
can't organization
access OneDrive uses
from Office 365, beapp
the OneDrive aware
andthat
file this setting
picker. will prevent
Windows Store users from access
apps can't saving files to OneDrive/SkyDrive.
OneDrive using the `WinRT` API. OneDrive doesn't appe
TITLE:Data Prote CCE-36939-7
e:** If your organization
benchmarks uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive.
is consistent.
upport.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
.admx/adml`
benchmarksthat is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
is consistent.
ot.admx/adml`
benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
PresentationSettings.admx/adml`
benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
tall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Remote
erver.admx/adml` Desktop
that is included Services_
with starting
all versions of thewith the Microsoft
Microsoft WindowsWindows 7 & Server
Administrative 2008 R2 Administrative Templates.
Templates.
Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
ient.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
password saving checkbox will beTITLE:AutomaticallCCE-36223-6
benchmarks is consistent.
erver.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver-Server.admx/adml`
p Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
erver.admx/adml`
ost that is included
Device and Resource with all versions of the Microsoft Windows Administrative Templates.
Redirection.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
redirection will not be possible TITLE:Data Prote CCE-36509-8
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
amed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver.admx/adml`
ost Security. that is included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot automatically log on to TITLE:Encrypt/Hash CCE-37929-7
erver.admx/adml`
ost that isfolders.
Session Temporary included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Protect InfoCCE-37946-1
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot set the Feed Sync EngiTITLE:Uninstall/Di CCE-37126-0
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Assess DataCCE-38277-0
benchmarks is consistent.
R.admx/adml`
benchmarks isthat is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release 1511 Administrative Templates.
consistent.
nter.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
orm.
tionGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
.admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
mx/adml` that is
benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
I.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore
benchmarks is consistent.
c.admx/adml`
benchmarks is
that
consistent.
is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
dmx/adml`
benchmarksthat
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
duler.admx/adml`
benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat
is is
consistent.
only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and Microsoft Windows 10 Release 1511 A
olorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
.
e.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
efender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emed
- thisbyisMicrosoft to behavior.
the default _Windows Defender Antivirus_
TITLE:Deploy Autom starting with the Microsoft Windows 10 Release 1703 Administrative Templates.
CCE-36082-6
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml`
ervice (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default behavior. TITLE:Malware D CCE-36940-5
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default configuratio TITLE:Deploy Autom
CCE-38389-3
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
ovable drives will be scanned duTITLE:Data Prote CCE-38409-9
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
benchmarks is consistent.
admx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
consistent.
rd.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
efenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
ren.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
SmartScreen settings.
up Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
s will be warned before they ar TITLE:Inventory CCE-35859-8
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emory dumps are uploaded accord TITLE:Data Prote CCE-36978-5
benchmarks is consistent.
rting.admx/adml`
nsent. that is included with all versions of the Microsoft Windows Administrative Templates.
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Data Prote CCE-37112-0
benchmarks is consistent.
benchmarks is consistent.
.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
dmx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
as renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates.
kWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Minimize AnCCE-36400-0
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Disable this polic TITLE:Ensure Work CCE-36977-7
benchmarks is consistent.
ail.admx/adml`
benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Administrative Templates.
consistent.
er.admx/adml`
benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
consistent.
ediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
ollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
benchmarks is consistent.
essenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
MobilityCenter.admx/adml`
benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
er.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
lExecutionPolicy.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ing of PowerShell script input is TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
e - this is the default behavior. TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
benchmarks is consistent.
ov.admx/adml`
ent (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
emoteManagement.admx/adml`
gement (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
emoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:User/Accoun
CCE-36310-1
emoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:User/Accoun
CCE-36254-1
emoteShell.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
admx/adml` that is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Admi
benchmarks is consistent.
sourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates
pdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
al operating system updates andTITLE:Use Automat CCE-36172-5
e benchmarks
- this is the default behavior.
is consistent. TITLE:Use Automat
CCE-37027-0
pdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
enamed
trative Templates
by Microsoft
(ADMX).
to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
vePrograms.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
nelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
deen
by Microsoft to provided
saver runs, _Personalization_ starting withWork
that thTITLE:Ensure theCCE-37970-1
Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ders.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
cations will not be able to raise TITLE:Ensure WorkCCE-36332-5
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
allation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
rection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
cy.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nagement.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ngs.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
s renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
me.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks is consistent.
at.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
tManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Email and CCE-37424-9
ows tells the registered antiviru TITLE:Scan All InbCCE-36622-9
benchmarks is consistent.
dmx/adml`
benchmarks
that
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
ackup.admx/adml`
benchmarks is consistent.
that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well
ent.admx/adml`
benchmarks is consistent.
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
tion.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
er.admx/adml`
benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
benchmarks is consistent.
mx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
zard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administrative Templates.
benchmarks is consistent.
el.admx/adml` that
benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
mx/adml` thatisisconsistent.
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
dge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ienceVirtualization.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ojection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Tem
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot share files within their TITLE:Protect InfoCCE-38070-9
benchmarks is consistent.
benchmarks is consistent.
PresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
mx/adml` thatisisconsistent.
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
I.admx/adml`
benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012
is consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
duler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
olorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
en.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
benchmarks is consistent.
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
as renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates.
adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Minimize AnCCE-37490-0
benchmarks is consistent.
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
ail.admx/adml`
benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Administrative Templates.
consistent.
er.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
back.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
es (or newer).
ity-baseline-for-windows-10-creators-update-v1703-final/).
re that only ports, protocols, and services with validated business needs are running on each system.;
re that only ports, protocols, and services with validated business needs are running on each system.;
CRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/conta
ps://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)
KB 3000483](https://support.microsoft.com/en-us/kb/3000483) security update and the Microsoft Windows 10 RTM (Release 1507) Administrative Templat
Workstations, and Servers CONTROL:3 DESCRIPTION:Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and
strative Templates.
(or newer).
inistrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
es (or newer).
coded directly into Windows 10 and Server 2016.
configurations (including all CIS-recommended EMET settings) before widespread deployment to your environment.
CRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/conta
that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to Server 2016.
7) Administrative Templates.
plates.
ative Templates.
roup Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
crosoft Windows 10 Release 1511 Administrative Templates.
ve Templates.
rative Templates.
e Templates.
ve Templates.
4 DESCRIPTION:Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.;
strative Templates.
(or newer).
ative Templates.
Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Mi
ver 2016 Administrative Templates.
rative Templates.
e Templates.
ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can b
07) Administrative Templates (or newer).
Laptops, Workstations, and Servers;
ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can b
emplates (or newer).
trative Templates.
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
e Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables.;
e Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables.;
section
recommendation
# # title status
1.1 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' accepted
1.1 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' accepted
1.1 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' accepted
1.1 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' accepted
1.1 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' accepted
1.1 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' accepted
1.2 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' accepted
1.2 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but naccepted
1.2 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' accepted
2.2 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' accepted
2.2 2.2.2 (L1) Configure 'Access this computer from the network' accepted
2.2 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' accepted
2.2 2.2.5 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL S accepted
2.2 2.2.6 (L1) Ensure 'Allow log on locally' is set to 'Administrators' accepted
2.2 2.2.7 (L1) Configure 'Allow log on through Remote Desktop Services' accepted
2.2 2.2.8 (L1) Ensure 'Back up files and directories' is set to 'Administrators' accepted
2.2 2.2.9 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.10 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' accepted
2.2 2.2.12 (L1) Ensure 'Create a token object' is set to 'No One' accepted
2.2 2.2.13 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETW accepted
2.2 2.2.14 (L1) Ensure 'Create permanent shared objects' is set to 'No One' accepted
2.2 2.2.17 (L1) Configure 'Deny access to this computer from the network' accepted
2.2 2.2.18 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' accepted
2.2 2.2.19 (L1) Ensure 'Deny log on as a service' to include 'Guests' accepted
2.2 2.2.20 (L1) Ensure 'Deny log on locally' to include 'Guests' accepted
2.2 2.2.21 (L1) Configure 'Deny log on through Remote Desktop Services' accepted
2.2 2.2.22 (L1) Configure 'Enable computer and user accounts to be trusted for delegation' accepted
2.2 2.2.23 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' accepted
2.2 2.2.24 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' accepted
2.2 2.2.26 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' accepted
2.2 2.2.27 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' accepted
2.2 2.2.28 (L1) Ensure 'Lock pages in memory' is set to 'No One' accepted
2.2 2.2.30 (L1) Configure 'Manage auditing and security log' accepted
2.2 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' accepted
2.2 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' accepted
2.2 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' accepted
2.2 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' accepted
2.2 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServi accepted
2.2 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVaccepted
2.2 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' accepted
2.2 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators' accepted
2.2 2.2.40 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' accepted
2.3.1 2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only) accepted
2.3.1 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Maccepted
2.3.1 2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) accepted
2.3.1 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' isaccepted
2.3.2 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to overraccepted
2.3.2 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to accepted
2.3.4 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administratoraccepted
2.3.4 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' accepted
2.3.6 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is setaccepted
2.3.6 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is setaccepted
2.3.6 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to accepted
2.3.6 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabaccepted
2.3.6 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or few
accepted
2.3.6 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set taccepted
2.3.7 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' accepted
2.3.7 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' accepted
2.3.7 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), butaccepted
2.3.7 2.3.7.4 (L1) Configure 'Interactive logon: Message text for users attempting to log on' accepted
2.3.7 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on' accepted
2.3.7 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set t accepted
2.3.7 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstataccepted
2.3.7 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or accepted
2.3.8 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enaaccepted
2.3.8 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is seaccepted
2.3.8 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB server
accepted
2.3.9 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending sessio
accepted
2.3.9 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enaccepted
2.3.9 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is seaccepted
2.3.9 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set t accepted
2.3.9 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Acaccepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' accepted
2.3.10 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is seaccepted
2.3.10 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and accepted
sh
2.3.10 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set taccepted
2.3.10 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' accepted
2.3.10 2.3.10.7 (L1) Configure 'Network access: Remotely accessible registry paths' accepted
2.3.10 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' accepted
2.3.10 2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is saccepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' accepted
2.3.10 2.3.10.1 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Clasaccepted
2.3.11 Network security accepted
2.3.11 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is seaccepted
2.3.11 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disableaccepted
2.3.11 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use
accepted
o
2.3.11 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is s accepted
2.3.11 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password cha
accepted
2.3.11 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' accepted
2.3.11 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv accepted
2.3.11 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signinaccepted
2.3.11 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including se
accepted
2.3.11 2.3.11.1 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including se
accepted
2.3.13 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'D accepted
2.3.15 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is seaccepted
2.3.15 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.gaccepted
2.3.17 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator acco
accepted
2.3.17 2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation with
accepted
2.3.17 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in accepted
2.3.17 2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is accepted
2.3.17 2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation'accepted
2.3.17 2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed inaccepted
2.3.17 2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set taccepted
2.3.17 2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevati
accepted
2.3.17 2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locataccepted
6 Registry accepted
9.1 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' accepted
9.1 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' accepted
9.1 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' accepted
9.1 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' accepted
9.1 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System
accepted
9.1 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or gr accepted
9.1 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' accepted
9.1 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yeaccepted
9.2 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' accepted
9.2 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' accepted
9.2 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' accepted
9.2 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' accepted
9.2 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System3
accepted
9.2 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greaccepted
9.2 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' accepted
9.2 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yesaccepted
9.3 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' accepted
9.3 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' accepted
9.3 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' accepted
9.3 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' accepted
9.3 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' accepted
9.3 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is seaccepted
9.3 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32
accepted
9.3 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greaaccepted
9.3 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' accepted
9.3 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'accepted
17.1 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' accepted
17.2 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' accepted
17.2 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' accepted
17.2 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' accepted
17.2 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' accepted
17.2 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' accepted
17.3 17.3.1 (L1) Ensure 'Audit Process Creation' is set to 'Success' accepted
17.5 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' accepted
17.5 17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' accepted
17.5 17.5.4 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' accepted
17.5 17.5.5 (L1) Ensure 'Audit Special Logon' is set to 'Success' accepted
17.6 17.6.1 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' accepted
17.6 17.6.2 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' accepted
17.7 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' accepted
17.7 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' accepted
17.7 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' accepted
17.8 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' accepted
17.9 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' accepted
17.9 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' accepted
17.9 17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' accepted
17.9 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' accepted
17.9 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' accepted
18.1.1 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' accepted
18.1.1 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' accepted
18.2 18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only) accepted
18.2 18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set t accepted
18.2 18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only) accepted
18.2 18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + saccepted
18.2 18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS onlyaccepted
18.2 18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MSaccepted
18.3 18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabledaccepted
18.3 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' accepted
18.3 18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' accepted
18.3 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set t accepted
18.4 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set a
t ccepted
18.4 18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protect
accepted
18.4 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects aga
accepted
18.4 18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated
accepted
r
18.4 18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name
accepted
18.4 18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' isaccepted
18.4 18.4.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver
accepted
18.4 18.4.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at whichaccepted
18.5.4 18.5.4.1 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0xaccepted
18.5.4 18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (MS Only) accepted
18.5.11 18.5.11. (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain accepted
n
18.5.11 18.5.11. (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to ' accepted
18.5.14 18.5.14. (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authenticatio accepted
18.5.21 18.5.21. (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windowaccepted
18.8.4 18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enableaccepted
18.8.14 18.8.14. (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and ba
accepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Do not apply during periodic backgroundaccepted
18.8.21 18.8.21. (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy object accepted
18.8.21 18.8.21. (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is accepted
18.8.22. 18.8.22.1(L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'En accepted
18.8.27 18.8.27. (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS oaccepted
18.8.27 18.8.27. (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' accepted
18.8.27 18.8.27. (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' accepted
18.8.33. 18.8.33.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' accepted
18.8.35 18.8.35. (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' accepted
18.8.36 18.8.36. (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS onaccepted
18.9.3 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) accepted
18.9.6 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' accepted
18.9.8 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' accepted
18.9.8 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute an accepted
18.9.8 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' accepted
18.9.15 18.9.15. (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' accepted
18.9.15 18.9.15. (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled' accepted
18.9.24 18.9.24. (L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In' accepted
18.9.24 18.9.24. (L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out' accepted
18.9.24 18.9.24. (L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out' accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum
accepted
18.9.26. 18.9.26.1(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 accepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum siz
accepted
18.9.26. 18.9.26.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 oaccepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size'accepted
18.9.26. 18.9.26.3(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or graccepted
18.9.26.4 System accepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size
accepted
18.9.26. 18.9.26.4(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' accepted
18.9.30 18.9.30. (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' accepted
18.9.52 18.9.52. (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabaccepted
18.9.58. 18.9.58.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' accepted
18.9.58.318.9.58.3(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' accepted
18.9.58. 18.9.58.3(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' accepted
18.9.59 18.9.59. (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' accepted
18.9.60 18.9.60. (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' accepted
18.9.60.1 OCR accepted
18.9.76 18.9.76. (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' accepted
18.9.76. 18.9.76.3(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Dis accepted
18.9.76. 18.9.76. (L1) Ensure 'Scan removable drives' is set to 'Enabled' accepted
18.9.76. 18.9.76. (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' accepted
18.9.80. 18.9.80.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevaccepted
18.9.81 18.9.81. (L1) Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Daccepted
18.9.81. 18.9.81.2(L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending dataaccepted
18.9.83 Windows Hello for Business (formerly Microsoft Passport for Work) accepted
18.9.85 18.9.85. (L1) Ensure 'Allow user control over installs' is set to 'Disabled' accepted
18.9.85 18.9.85. (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' accepted
18.9.86 18.9.86. (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is setaccepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' accepted
18.9.95 18.9.95. (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' accepted
18.9.97. 18.9.97.2(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' accepted
18.9.101 18.9.101 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' accepted
18.9.101 18.9.101 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installatiaccepted
18.9.101.1 Windows Update for Business (formerly Defer Windows Updates) draft
19.1.3 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabledaccepted
19.1.3 19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' accepted
19.1.3 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' accepted
19.5.1 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' accepted
19.7.1 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) accepted
19.7.4 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' accepted
19.7.4 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' accepted
19.7.26 19.7.26. (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' accepted
19.7.39 Windows Hello for Business (formerly Microsoft Passport for Work) accepted
19.7.40 19.7.40. (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' accepted
This policy
Services setting
that determines
are started by thewhich users
Service or processes
Control Managercan generate
have audit
the built-in records
Service in theadded
group Security log.
by default to their access to
The recommended
Also, state for this
a user can impersonate an setting
access To is:establish
`LOCAL
token if anythe
SERVICE,
recommended
of NETWORK
the following configuration
SERVICE`.
conditions via GP, set the following UI path to `LOC
exist:
- The access token that is being impersonated is for this user.
full -**Note:**
The user,This
in this
userlogon
An
right
attacker
session,
is considered
couldlogged
uTo
```
a establish
"sensitive
on to the the network
privilege"
recommended
Navigate
with
for explicit
the
to purposes
the
configuration
credentials
UI On of most
auditing.
via
tocomputers,
create
GP, configure
the this
accessisthe
the
token.
following
defaul UI path:
- The requested level is less than Impersonate, Computer Configuration\Policies\Windows
such as Anonymous or Identify. Settings\Security Settings\Local Policies\U
full **Note #2:** A Member Server with
An attacker that th holds
```
To the _Web
``` establish theServer (IIS)_ to
recommended
Navigate Rolethe with
UI In_Web
most Server_
configuration cases
via GP,this Role Service
setconfiguration
the following willwill
require
UI a speci
path to `Adm
An attacker
This policy setting
with thedetermines
**Impersonatewhether a Computer
client
users after
can Configuration\Policies\Windows
authentication**
increase the base user priority
right could
classSettings\Security
create
of a process.
a service,
(It is
Settings\Local
trick
not aa client
privileged
toPolicies\U
make
operati
the
full **Note
This #3:**setting
policy A Member
A user
allows Server
who isthat
users toassi holds
```
dynamically
To the _Active
``` establish loadthe a Directory
newNavigate
recommended
deviceFederation
to the
driver UI Services_
onNone
configuration viaRole
- this
a system. is
An
GP,thewill require
default
attacker
set the a potentially
special
behavior.
could
following exception
UI path use thist
to `Adm
- **Level
The 1 - Domainstate
recommended Controller.** TheComputer
for this setting recommended
is: `Administrators`. state for this setting is: ``Administrators,
Configuration\Policies\Windows Settings\Security LOCAL SERVICE, Policies\U
Settings\Local NETWOR
full - **Level
The 1 - Member
recommended Server.**
Device
state for thisThe
drivers recommended
setting
run ```
```is:
To state
`Administrators`.
establish the for this setting
Navigate
recommended to the is:
UI `Administrators,
If you remove
configuration via GP, LOCAL
the
set**Load SERVICE,
and unload
the following UINETWORK
d to `No S
path O
This policy setting determines which users can change the auditing options for files and directories and clear the Security lo
This policy setting allows a process toComputer keep dataConfiguration\Policies\Windows
in physical memory, which prevents Settings\Security
the system from Settings\Local
paging thePolicies\U
data to vi
full **Note:** This userUsers
right iswith
considered
the **L To ```
```
a establish
"sensitivethe privilege"
Navigate
for the
recommended to purposes
the UI None of auditing.
configuration - this
via isGP,theconfigure
default behavior.
the following UI path:
For environments running Microsoft Exchange Server, the `Exchange Servers` group must possess this privilege on Doma
The recommended state for this setting Computer
is: `No One`.
Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
full **Note #2:** A Member Servertowith
The ability manMicrosoft
```
``` establish
To SQLthe Server _and_ its
Navigate
recommended optional
to the UI None"Integration
configuration - this
via isGP, Services"
the default
set component
behavior.
the following installed
UI path willO
to `No
- **Level 1 - Domain Controller.** The recommended state for this setting is: `Administrators` and (when Exchange is runni
This privilege determines which user Computer accounts can Configuration\Policies\Windows
modify the integrity label of objects, Settings\Security
such as files,Settings\Local
registry keys, Policies\U
or proce
- **Level 1 - Member Server.** The recommended state for this setting is: `Administrators`.
full This policy setting By modifying
allows users to theconfigure
i To
```
``` establish
the system-wide Navigate
the recommended to the
environment UI None
configuration - this
variables via is
that
GP,the default
affect
set the behavior.
hardware
following configuration.
UI path to `AdmThis
The recommended state for this setting Computer
is: `No One`.
Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
**Note:** This user right is considered a "sensitive privilege" for the purposes of auditing.
full The recommendedAnyone state forwhothisissetting
assiTo
```
```is: `Administrators`.
establish Navigate to the
the recommended UI None - this
configuration via isGP,theset
default behavior.
the following UI path to `Adm
This policy setting allows users to manage Computer Configuration\Policies\Windows
the system's volume or disk configuration, Settings\Security
which could Settings\Local
allow a user toPolicies\U
delete a v
full **Note:** This userArightuseriswho
considered
is assi To ```
a establish
``` "sensitivethe privilege" for the
Navigate
recommended to purposes
the UI None of auditing.
configuration - this
via isGP,theset
default behavior.
the following UI path to `Adm
The recommended
This state for this
policy setting determines setting
which Computer
usersis: `Administrators`.
can useConfiguration\Policies\Windows
tools to monitor the performance Settings\Security
of non-system Settings\Local Policies\U
processes. Typically, y
full This policy setting The
allows**Profile sing ```
one process ```
Toorestablish
service tothe Navigate
recommended
start to the
another service UIorIfprocess
you remove
configuration via GP,
with the
set**Profile single UI
the following
a different security pr path to
access ``Adm
token, w
The recommended
This state for
policy setting allows thistosetting
users useComputer
is: `Administrators`.
tools Configuration\Policies\Windows
to view the performance of different Settings\Security
system processes, Settings\Local
which could be Policies\U
abused
full The recommendedThe state**Profile
for thissyst
setting```
```is:
To establish
`LOCALthe Navigate
SERVICE,
recommended to the
NETWORK UI None
configuration - this
SERVICE`.via isGP,theset
default behavior.
the following UI path to ``LO
The recommended state for this setting Computer
is: `Administrators,
Configuration\Policies\Windows
NT SERVICE\WdiServiceHost`. Settings\Security Settings\Local Policies\U
full **Note:**
This policyThis userUsers
setting right iswith
determines considered
the
which ```
**Rusers
```
Toa establish
"sensitive
can bypass privilege"
the Navigate
for the
recommended
file, to purposes
directory, the UI On of most
configuration
registry, auditing.
and computers,
other
via GP, thisfollowing
persistent
set the is the permissions
object defaul
UI path to `Adm
when
An attacker with the Computer
**RestoreConfiguration\Policies\Windows
files and directories** user rightSettings\Security
could restore sensitiveSettings\Local
data to aPolicies\U
compute
full **Note
The #2:** A Member
recommended stateServer
for thisthat holds
setting```
```is:
To the _Web Server
`Administrators`.
establish the (IIS)_ to
Navigate
recommended Rolethe with
UI If_Web Server_
you remove
configuration via GP, Role
the
set Service
**Restore
the will and
files
following require
UI a speci
path to `Adm
**Note:**
This policy setting The abilityEven
determines towhich
shutif the
Computer
following
users
down who Configuration\Policies\Windows
Domain countermeasure
are Controllers andisMember
logged on locally configured, an
Settings\Security
to the computers
Servers attacker
should
in yourcould Settings\Local
still restore
beenvironment
limited to a very
candataPolicies\U
todown
shut
small anumb
com
full **Note
**Note:**
This #3:**
policyThisA user
Member
setting rightServer
allows isusers
considered
with
to takeMicrosoft
```
Toaownership
``` "sensitive
SQLthe
establish privilege"
Server
of installed
for the
Navigate
files,
recommended
folders, will
purposes
require
toregistry
the Theofaimpact
UI keys,
configuration auditing.
special
processes,of exception
via GP, removing
set
or the to
these
threads. this
following recommendation
default
This UI
user
path
right
to `Adm
bypa
The recommendedWhen state a forDomain
this settingController
Computer
is: `Administrators`.
is Configuration\Policies\Windows
shut down, it is no longer available Settings\Security
to process logons, Settings\Local
serve Group Policies\U
Policy,
full The recommendedAny stateusers
for this the```
withsetting ```is: `Administrators`. Navigate to the UI None - this is the default behavior.
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\U
accepted **Note:** Thiscontains
This section user right is considered```a "sensitive
recommendations for securityprivilege"
options. for the purposes of auditing.
accepted sectionsetting
This policy contains recommendations
determines whether related tothe
Toaestablish
computer the Windows
canrecommended
be
Navigate shutdown
shut down
to the
when functionality.
configuration
UI Path
a user
articulated
via
is not
GP,logged
set
in the
the
on.
Remediation
following
If this policy
UI path
section
setting
to `Disa
and
is e
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section contains recommendations for configuring the Windows Firewall.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
security
whereas group
for to local
by changes
accounts. Events
accounts, the
application
for this
local computer
groups such asis
subcategory
authoritative.
the following: In
include:
domain
-environments, Application
accepted -This 4727: A
mostsection
group ofisthecreated, is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
security-enabled
Account Logon
changed, or
accepted global
This section group is was
events
deleted. occur inintentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
created.
-the Security
Member is log
accepted -This 4728: A
of thesection
added Domain
or is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
member was
Controllers
removed from thatan
accepted added
Thisauthoritative to a is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
section
are
application
security-enabled
for the domain
group.
accepted global
This section group.contains recommendations for configuring the Windows audit facilities.
accounts.
-This
However,
subcategory
4729: A these
Application
reports other
member wascontains recommendations for configuring the Account Logon audit policy.
accepted This section
events
groups can
are occur To establish the recommended configuration via GP, set the following UI path to `Suc
account from a
removed
on otherby
utilized To establish the
management
security-enabled
full computers in the Auditing these everecommended
Windows ``` Navigate to the UI If no audit settings are configured,
events.group.
global Events
organization
Authorization Computer Configuration\Policies\Windows
configuration via Settings\Security Settings\Advanced Audit
-for this A
4730:
accepted This section
when
Manager, localwhich contains recommendations ```
To for
setconfiguring
GP,establish the Account Management
the the recommended configuration audit via GP, policy.
set the following UI path to `Suc
subcategory
security-enabled
This subcategory reports each event of user account management, such as when a user account is created, changed, or d
accounts
is
This a flexible
subcategoryare reports each event following of computer account management, such as when a computer account is created, cha
UI path
include:group was
global
full used to log on.
framework Auditing events in To ````Success
to establish and Navigate to the
the recommended UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
-deleted. 4720: A user account was created.
Events
-created 4741: for this
Abycomputer account was created. Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
Failure`:
-subcategory 4782: A
4731:
4722: The user account was enabled.
full Microsoft
- 4742: A computer for Auditing
accountevents in ```
was changed. ``` establish the recommended
To Navigate to the UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
password
-security-enabled 4723: An hash
attempt was made to change an account's password.
include:
-integrating 4743: A computer role- account was deleted. Computer
``` Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
an4724:
-local account
group was
An attempt was made to reset an account's password.
full based access Auditing these eve``` ```
Computer Navigate to the UI If no audit settings are configured,
accessed.
-created.
- 4725:
control
The 4774: A
Anuser account
(RBAC)
recommended
was disabled.
state for this setting Computer
is: `Success
Configuration\PolConfiguration\Policies\Windows
and Failure`. Settings\Security Settings\Advanced Audit
- 4726: 4793: A
4732: The user account was deleted.
full account
into applications. was Auditing these eveTo ``` establish the recommended
icies\Windows Navigate to the UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
Password
-member 4738: Afor was Policy
user account was changed.
mapped
More information Settings\Security
Checking
-added 4740: toA a API account was locked out.
user
full logon.
on Windows Auditing these eveSettings\Advanc
``` Navigate to the UI If no audit settings are configured,
was
-security-enabled called.
- 4765:
This
Authorization 4775: SID
An History
subcategory was added
reports to an account.
the creation of a process and the name of the program or user that created it. Events for this subc
ed Audit Policy
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-local 4766:group.An attempt to add SID History to an account failed.
accepted account
Manager
This section could
is contains recommendations Configuration\Au
```
To for configuring
establish the Detailed Tracking
the recommended configurationauditviapolicy.
GP, set the following UI path to `Suc
-The
not
4733:
4767:
4688: user process
A new
be mapped account has wasbeen unlocked.created.
available at dit
recommended
-member 4780:
4696: A was
The ACL
primary was
token set wason accounts
assigned which
to are
process. members of administrators groups.
full for
[MSDN logon. - Auditing these evePolicies\Account
``` Navigate to the UI If no audit settings are configured, or if audit sett
state
-removed for thisfrom a of an account was changed:
- 4781:
Windows 4776: The The name
Management\Au
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
setting
-security-enabled
Refer 4794: to is:
An attempt
Microsoft was made
Knowledge to
Base set the Directory
article 947226: Services
[DescriptionRestore Mode. events in Windows Vista and in Windows Serve
of security
accepted Domain
Authorization
This section contains recommendations dit Security
``` for configuring the Directory Services Access audit policy.
`Success
-local 5376:group. and
Credential Manager credentials were backed up.
Controller
Manager] Group
-Failure`.
The
attempted
4734:
5377: A
Credential
recommended to contains Manager
state for credentials
this setting were restored from a backup.
is: `Success`.
accepted (https://msdn.mic
This section
subcategory recommendations
reports when a Management
user's
To for configuring
account
establish isthe
locked theout
Logon/Logoff
recommended as a result audit
toopolicy.
configuration
of many via failed
GP, set logon
the attempts.
following UI Events
path for
to `Suc
this
security-enabled
validate the
rosoft.com/en- ```
localrecommended
The
This group was reports
subcategory state for whenthis a setting
user is:
logs `Success
off from and
the Failure`.
system. These events occur on
other logon/logoff-related events, such as Remote Desktop Services session disconnects and rec the accessed computer. For interac
full credentials
us/library/bb8974
-deleted. 4625: An account for an Auditing
failed totheselog on. eveTo ``` establish the recommendedNavigate to the UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
This
account.
01.aspx). subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. Fo
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-- 4634: 4735:
4649: A
An account was logged
replay attack was detected. off.
full The 4777: The
recommended state forthese
Auditing this setting
eveTo```
```is: `Success
establish theand Failure`.to the
Navigate
recommended UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
security-enabled
-The 4647: A
4624:
4778: User
An session initiated
account was logoff.
was successfullytologged
reconnected a Window on. Station.
Domain Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
-local
Controller
recommended 4625:group An
4779: A session was
account
failed was failed to log on.
disconnected from a Window Station.
full changed. Auditing these eveTo ```
``` establish the recommendedNavigate to the UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
-The
to4800:
state recommended
4648: Athis
forThe
validate logon
the wasstate
workstation for this
attempted
was setting
using
locked. is: `Success`.
explicit credentials.
This
-credentials policy
4737: A setting allows you to auditComputerevents generatedConfiguration\Policies\Windows
by the management of task Settings\Security
scheduler jobsSettings\Advanced
or COM+ objects. Audit
setting 4675: is:
4801: SIDsfor
The were filtered.
workstation
an reports was unlocked.
full This
security-enabled subcategory Auditing these
when a eve ```
```
special
To establish
logon is used.
the Navigate
recommended
A special to the
logon UI If no
configuration
is a audit
logon that
viasettings
GP,
has set are configured,
administrator-equivalent
the following UI path toprivileg
`Suc
-`Success
account. 4802: The and screen saver was invoked.
For
global scheduler
group jobs, the following are audited:
was Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
The
-Failure`. recommended state
4803: The screen saver was dismissed. for this setting is: `Success and Failure`.
full -changed. 4964created.
Job : Special groups Auditinghave these
beeneve ```
assigned
``` to a new logon. Navigate to the UI If no audit settings are configured,
-The 5378: The requested credentials delegation was disallowed by policy.
-- Job 4754: deleted.
A Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
recommended 5632: request was made to authenticate to a wireless network.
accepted -The
This
security-enabled Jobrecommended
section
enabled. contains state for this setting
recommendations ``` is:
To for`Success`.
configuring
establish the Object Access
the recommended audit policy.
configuration via GP, set the following UI path to `Suc
-state 5633: Athis
request was made to authenticate to a wired network.
-universal Job for
disabled.group
full -setting
This policyis: settingreports
Jobcreated.
updated.
subcategory The
allows unexpected
you
changesto auditincre
```
To
user
audit establish
attempts Navigate
thetorecommended
access fileto the
system UIobjects
IfEvents
no audit
configuration onforsettings
viaathis
GP, setare
removable theconfigured,
storage
following device.
UI pathAtosecurit
`Suc
was
The
`Success recommended and state for this setting is: policy
`Success including SACL
and Failure`. changes. subcategory include:
This
- 4755: subcategory
A reports changes in Computer authentication Configuration\Policies\Windows
policy. Events for this subcategory Settings\Security
include: Settings\Advanced Audit
full Failure`.
For
-The COM+
4715: Theobjects,
recommended audit policythe following
Auditing
state forremovable
(SACL) this on areanaudited:
setting```
``` is: `Success
object was changed.andNavigate
Failure`.to the UI If no audit settings are configured,
security-enabled
-universal
This Catalog
4719:
4706: A
subcategoryobject
System
new trust
group added.
audit policy
was
reports created
whenwasato Computer
changed.
a domain.
user account or Configuration\Policies\Windows
service uses a sensitive privilege. Settings\Security Settings\Advanced
A sensitive privilege includes the Audit
follow
accepted -**Note:**
This
was changed. Catalog
4902:
4707:section
The
A object
A
trustWindows updated.
contains
Per-user
to a 8,
audit
domain Server
recommendations
policy
was 2012table
removed.(non-R2)
```
To for
was
establishor
created. higher
configuringthe OS
the is required
Policy
recommended Change to access
audit
configuration and
policy.
via set
GP, this
set value
the in Group
following UIPolicy.
path to `Suc
-- Act Catalog
4904:
4713:
4756: An
asKerberosobject
Apart attempt
of thedeleted.
was made
policy was changed.
operating to register a security event source.
system
full -This
member was 4905:
4716:
Back An
Trusted
subcategory
up attempt
files Auditing
was
domain
and reports made these
information
directorieschanges to unregister
eve
inwas``` establish
To a security
modified.
authorization the event
Navigate
source.
recommended
policy. Events to
forthe UIsubcategory
If no audit
configuration
this viasettings
GP, setare
include: theconfigured,
following UI path to `Suc
-The
added recommended
4906:
4717:
Create The
toSystem
aatoken stateaccess
CrashOnAuditFail
security
object for this setting
value
was has is:
Computer
granted `Success
changed.
to an and Failure`.
Configuration\Policies\Windows
account. Settings\Security Settings\Advanced Audit
full -security-enabled 4907: A
4718:
4704:
Debug Auditing
System
user right
programs settings
security
Auditing onthese
was access object
assigned. was were
eve ```
``` changed.
removed
To fromthe
establish anrecommended
account.
Navigate to the UI If no audit
configuration viasettings
GP, setare theconfigured,
following UI path to `Suc
-universal 4908:
4739:
4705:
EnableA Special
Domain
user right
computer
group. Groups
Policy
waswas
and Logon
removed.
user table modified.
changed.
accounts Computer
to be trusted Configuration\Policies\Windows
for delegation Settings\Security Settings\Advanced Audit
full -- Generate 4912:
4864:
4706:
4757: A Per
A new User
namespace Audit
trust
security Policy
collision
Auditing
was
audits created was
these was changed.
adetected.
toeve ```
domain.
``` Navigate to the UI If no audit settings are configured,
-This
member 4865:
4707:
ImpersonateAwas
subcategorytrusted
trust forest
atoclient
a domain
reports information
after onwasthe removed.
authenticationentry was
Computer
activities of theadded.
Configuration\Policies\Windows
Internet Protocol security (IPsec)Settings\Security driver. Events forSettings\Advanced
this subcategory includ Audit
accepted -The
This
removed from aLoadrecommended
4866:
4714: A
and
subcategorytrusted
Encrypted
section contains
unload state
forest
data
device
reports for
recovery this
information
recommendations
drivers
on other setting
entry
policy```
To
system is:
was
for`Success
was removed.
changed.
configuring
establish
events. the and theFailure`.
Privilege
recommended
Events for this Use
subcategory audit
configuration policy.
via
include: GP, set the following UI path to `Suc
-security-enabled
4867:
Manage
4960: A trusted
IPsecauditing forest
droppedand an information
security
inbound entry was
log packet thatmodified.
failed an integrity check. If this problem persists, it could indicate a network i
full -The
universal recommended
Modify
4961:
5024 firmware
:IPsec
Thegroup. Windows
dropped state
anfor
environment
Auditing
Firewall thisService
these
inbound setting
values
eve
packet is:that
```has `Success`.
started Navigate
failedsuccessfully.
a replay check.to the UI Ifproblem
If this no auditpersists,
settingsitare configured,
could indicate a replay attack
The
-- 5025 recommended
Replace
4962:
4758: :IPsec
AThe a process-level
Windows
dropped state
anfor
Firewall thisService
token
inbound setting
packet is:that
Computer
has `Success`.
been Configuration\Policies\Windows
failed a replay check. The inboundSettings\Security
stopped. packet had too low Settings\Advanced
a sequence number Auditt
accepted -This Restore
4963:
5027 section
security-enabled :IPsec
The files and directories
contains
Windows
dropped recommendations
Firewall
an inbound Service ```was
clear
To for configuring
text
establish
unable
packet the
to
that the System
recommended
retrieve
should thehave audit
security policy.
configuration
been policy
secured.from
via
This
the
GP,islocal
set
usually
the
storage.
following
due to Thethe
UI
service
remote
path towill
comp
`Suc
con
-universalTake ownership
4965:
5028 :IPsec
Thegroup Windows of files
received or other
a packet
Firewall objects
from
Service a was
remote computer
unable to parse withtheannewincorrect Security
security policy.Parameter
The service Index (SPI). This
will continue is usually
with currentlyc
full -was 5478:
5029: IPsec
The
deleted. Services
Windows Auditing
has these
Firewall started eve
Service successfully.
```
To failed
establish
to initialize Navigate
the driver.toThe
the recommended the UI If no will
configuration
service auditviasettings
continue
GP, set toare
theconfigured,
enforce
following
the current
UI pathpolicy.
to `Suc
-Auditing
- 5030:5479:
4764: The Athis
IPsec subcategory haswill
ServicesFirewall
Windows
group's beencreateshutaComputer
Service high
failedvolume
down of events.
successfully. The Events
Configuration\Policies\Windows
to start. shutdown for of
this subcategory
IPsec Servicesinclude:
Settings\Security
can putSettings\Advanced
the computer at greater Audit
full -type 5480:
5032:was IPsec Services
Windows Firewall failed
Capturing tounable
wasthese get authe
```
tocomplete
``` notify thelist of network
user that
Navigate interfaces
it blocked onno the
to theanUIapplication
If computer.
audit from
settings This
are poses
accepting a potential
configured,
incoming security
connections
4672::IPsec
5483:
-changed.
5033 Special
The Windows privileges
Services failedassigned
Firewall toDriver toComputer
initializenew
has RPClogon.
server.
started IPsec Services could not be
Configuration\Policies\Windows
successfully. started.
Settings\Security Settings\Advanced Audit
4673::IPsec
5484:
- 5034 ATheprivileged
Services
Windows service wasDriver
has experienced
Firewall called. hasa been
``` criticalstopped.
failure and has been shut down. The shutdown of IPsec Services can put
-The 4674::IPsec
5485:
5035 An
The operation
Services
Windows was attempted
failed
Firewall toDriver
processon asome
failed privileged
IPsecobject.
to start. filters on a plug-and-play event for network interfaces. This poses a po
-recommended
5037 : The Windows Firewall Driver detected critical runtime error. Terminating.
-The recommended
5058:
state forKey thisfile operation. state for this setting is: `Success and Failure`.
- 5059: Key migration operation.
This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. E
This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:
This subcategory reports the loading To establish the
of extension code recommended
such as authentication configuration via GP,byset
packages the the following
security UI path toEvents
subsystem. `Suc
- 4608: Windows is starting up.
4609::Windows
- 4612 is shuttingallocated
Internal resources down. for the queuing of audit messages have been exhausted, leading to the loss of some a
full - 4610: An authentication
Auditingpackage
these eve has To```been
establish
loaded thebyrecommended
the
NavigateLocal to Security
the
configuration
UI Authority.
If no audit viasettings
GP, setare theconfigured,
following UIorpath if audit
to `Suc
sett
4616::The
- 4615 system
Invalid time
use of LPC was changed.
port.
- 4611: A trusted logon process has been Computer registeredConfiguration\Policies\Windows
with the Local Security Authority. Settings\Security Settings\Advanced Audit
4621::Administrator
- 4618 recovered
A monitored security eventsystem
pattern from has CrashOnAuditFail.
occurred. Users who are not administrators will now be allowed to lo
full - 4614: A notification Auditing
package thesehaseve been```
To``` establish
loaded bythe therecommended
Security
NavigateAccount to the
configuration
UI
Manager.
If no audit viasettings
GP, setare theconfigured,
following UI path to `Suc
- 4816 : RPC detected an integrity violation while decrypting an incoming message.
- 4622: A security package has been To Computer
loaded by Configuration\Policies\Windows
establish thethe Local Security Authority. Settings\Security Settings\Advanced Audit
-The recommended
5038 : Code integrity state for this setting
determined that the is: `Success`.
image hash of a file is not valid. The file could be corrupt due to unauthorized m
full - 4697: A service was Auditing
installed
these in eve
the ```system.
``` Navigate to the UI If no audit settings are configured,
- 5056: A cryptographic self test was recommended performed.
Computer Configuration\Policies\Windows
configuration via Settings\Security Settings\Advanced Audit
- 5057: A cryptographic primitive operation failed.
accepted The
This recommended
section contains state for this setting
computer-based ```
GP, is:set
`Success
recommendations
the and Failure`.
from Group Policy Administrative Templates (ADMX).
- 5060: Verification operation failed. To establish the
This section contains recommendations for Control
following UI path Panel settings.
- 5061: Cryptographic operation. recommended
accepted to `Enabled`:
- 5062: A kernel-mode cryptographic configuration self test was performed. via
Group Policy
This section section
contains is providedTo
recommendations byestablish
theControl
for Groupthe Policy
Panel template `Windows.admx/adml`
personalization
recommended settings.via GP, set
configuration thatthe is included
followingwith all versions
UI path to `Ena
accepted GP, set the
``` Navigate to the UI Path articulated in the Remediation section and
The recommended state for this setting is: `Success
following UI and Failure`.
This Group
Disables thePolicy sectioncamera
lock screen is provided toggleTobyswitch
``` the Group
establish
Computer in path
PC
thePolicy
Settings template
recommended `ControlPanelDisplay.admx/adml`
and prevents a camera
configuration via from
GP, set being theinvoked thaton
following isUIincluded
the
path lock with
toscree
`Ena
full Disabling the lock to `Enabled`:
Computer Configuration\Policies\Administrative
Configuration\Pol Navigate ``` to the UI IfPathyouarticulated
enableTemplates\Control
thisinsetting, users
the Remediation Panel\Personaliza
will no longerand
section be
The recommended
Disables state slide
the lock screen for this setting
show ``` is: `Enabled`.
settings in PC Settings
icies\Administrati HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
and prevents a slide show from playing on the lock screen.
```
full In May 2015, Microsoft Disabling
releasedthe lock Computer
the Local
ve Administrator Configuration\Policies\Administrative
```
```
Password Solution If you
(LAPS) enableTemplates\Control
tool, this
whichsetting,
is free users
and Panel\Personaliza
will no longer
supported be
softw
Computer
The recommended
This section contains state for this setting
recommendations **Note:**
``` is:
for`Enabled`.
This Group
configuring
Templates\LAPS HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path
Microsoft Localmay not exist by
Administrator default. ItSolution
Password is provided by the Group
(LAPS).
Configuration\Pol
accepted The LAPS tool requires a small ActiveIn \DoDirectory
order to utilize
not allow Schema ```update
LAPS,
The LAPS
a minor
inAdmPwd
order
Active
to implement,
GPO
DirectoryExtension
Schema
as well / CSE
as
updateinstallation
canisberequired,
verified
of a Group
to
and beains
Po
G
icies\Administrati
This
In Group
May 2015, Policy section
Microsoft is provided
released **Note:**
by the
password
the Local Group
This Group
Administrator PolicyPassword
template
Policy path `AdmPwd.admx/adml`
mayNo
Solution not exist tool,
impact.
(LAPS) byWhendefault.
that
which is
It
is is
installed included
freeprovided
and withbyLAPS.
andregistered the Group
supported proper
softw
ve
full LAPS supports Windows Due to Vista
the difficu
or newer ``` workstation
expiration time OSes, ``` and Server
Navigate to the 2003
UI Path or articulated
newer server in theOSes. Remediation
LAPS does section
not suppor
and
Templates\LAPS
The
In LAPS
May 2015,toolMicrosoft
requires released
a small Active C:\Program
longer
the Local Directory thanSchema
AdministratorFiles\LAPS\CSE\AdmPwd.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
update in order
Password SolutiontoInimplement,
a disaster
(LAPS) tool,recovery
aswhich
well as isscenario andwhere
installation
free of aActive
supported NT\Cu
Group Dire
softwPo
\Enable Local
full **Note:** Organizations
The recommended Due
statetothat
for utilize
thethis
difficu 3rd-party
setting ```
required commercial
is: `Enabled`.
by ```softwaretotothe
```
Navigate manage unique
UI Planned
Path & complex
password
articulated in the local
expiration Administrator
Remediation longer section passwo
and
Admin Password
LAPS
The
In supports
LAPS
May 2015, Windows
toolMicrosoft
requires a Vista
smallor
released newer
Active
the policy workstation
Directory
Local Schema
Administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
OSes, and Server
update
Password in order 2003
SolutiontoThe orlocal
newer
implement,
(LAPS) administrator
server
tool, wellOSes.
aswhich as password
LAPS
installation
is free does
isofmanaged
and supported anot Services
suppor
Groupsoftw(p
Po
Management
To establish the recommended configuration via GP, set the following UI path to `Ena
full **Note #2:**
**Note:** Organizations
LAPSDue is only
tothat
designed
the utilize
difficu3rd-party
to```manage commercial
_local_ Administrator
```softwaretotothe
```
Navigate manage
passwords,
UI Path unique and&iscomplex
articulated therefore
in thelocal not recommended
Administrator
Remediation section passwo
(or
andsup
```
LAPS
The
In recommended
supports
LAPS
May 2015, statereleased
Windows
toolMicrosoft
requires afor
Vista
smallthisorsetting
newer
Active
the **Note:**
is:
Directory
Local This
`Enabled`.
workstation Schema
Administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
OSes, and Server
update
Password in order
SolutiontoInimplement,
2003 aordisaster
(LAPS)newer tool,recovery
serverwellOSes.
aswhich isscenario
as andwhere
LAPS
installation
free does Active
of anot
supported Services
suppor
Group Dire
softwPo
**Note:**
To``` establish Thisthe recommended configuration via GP, set the following UI path to `Ena
full **Note #2:** LAPSDue is only designed
to the difficu toGroup manage Policy_local_ Administrator
```
```
Navigate to thepasswords, and is therefore
UI LAPS-generated
Path articulated inpasswords not recommended
the Remediation will be req section(or andsup
Group Policy
Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings
**Note:**
LAPS
The Organizations
recommended
supports
LAPS stateathat
Windows
tool requires for
Vista
smallutilize
thisor 3rd-party
setting
newer
Active path is: does commercial
`Enabled:
workstation
Directory not
Schema Large
OSes, software into
and Server
update manage
2003 unique
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
letters +order
small toletters
or newer
implement, & server
+ numberscomplex
as well +OSes. local
special
as Administrator
characters`.
LAPS
installation doesof anot passwo
Services
suppor
Group Po
path
```
To does notthe recommended configuration via GP, set the following UI path to `Ena
``` establish
full **Note #2:** LAPSDue is only designed
to the difficu toexist manage by default.
_local_ Administrator
```
```
Navigate to thepasswords, and is therefore
UI LAPS-generated
Path articulated inpasswords not recommended
the Remediation will be req section(or andsup
exist by default.
**Note:**
Computer This
Configuration\Policies\Administrative
Group Policy path does not exist by Templates\LAPS\Password
default. An additional Group Settings
Policy
**Note
**Note:**
The
LAPS
This #2:**
Organizations
recommended
supports
setting LAPS is
Windows
controls only
state that
designed
for
whetherVistautilize
this toAn
3rd-party
orsetting
local newer
accounts additional
manage
is: commercial
_local_
`Enabled:
workstation
can be used15Administrator
software to administration
manage
passwords, unique and
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
OSes,or formore`.
and
remoteServer 2003 or newer &isserver
via complex
therefore
network local
OSes. notLAPS
logon recommended
Administrator
(e.g., doesNET USE, passwo
(orconn
notServices
supporsup
An``` additional
```
full Due to the difficu Group Policy ```
``` LAPS-generated passwords will be re
Group Policy
**Note:**
Computer This
Configuration\Policies\Administrative
Group Policy path does not exist by Templates\LAPS\Password
default. An additional Group Settings
Policy
**Note
**Note:**
The
This #2:**
section
**Enabled:**Organizations
recommendedLAPS
contains
Appliesis only
state
UAC that
designed
for
settings utilize
this
forsettingtotemplate
3rd-party
manage
configuring
token-filtering is: commercial
_local_
to `Enabled:
additional
local 30Administrator
accounts software to manage
passwords, unique and&is
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
or fewer`.
settings
on from
network the MS Security
logons. Membership complex
therefore
Guide. local
in powerful not recommended
Administrator
group such as passwo
(or
Services
Admisup
template
```
To establish the recommended configuration via GP, set the following UI path to `Ena
accepted Since September 2016, (`AdmPwd.admx/
Microsoft has ```strongly to
Navigate the UI Paththat
encouraged articulated
SMBv1 in the
be Remediation
disabled and no sectionused
longer and
(`AdmPwd.admx/
**Note:** This Group Policy path does not exist by default. An additional Group Policy
**Note
**Note:**
This #2:**
Group Organizations
**Disabled:** LAPS
Policy islocal
only
section
Allows that
designed
is provided
accounts toadml`)
utilize 3rd-party
to manage
by
have iscommercial
thefull _local_
Group Administrator
Policy
administrative software
template
rights to`SecGuide.admx/adml`
manage
passwords,
when unique and&iscomplex
authenticating therefore
viathat
networklocal
is not recommended
Administrator
available
logon, from passwo
(or sup
Microsoft
by configuring
adml`)
To is
``` establish
full This setting configuresLocalthe
More
Since accounts
information
start type
September areonrequired
for
2016, this
the can - itbeisthe
Server
Microsoft
recommended configuration via GP, set the following UI path to `Ena
found
Message
has ```
Navigate
at the
stronglyBlock
following
to version
the UI None
links:
encouraged Path
1 - this
(SMBv1) isclient
articulated
that SMBv1 thebe
indefault
driver
the behavior.
Remediation
disabled service
and (`MRxSmb10`),
no section
longer and
used
required - itConfiguration\Policies\Administrative
Computer is Templates\MS Security Guide\Apply U
**Note
For more#2:** LAPS is only
information aboutdesigned toincluded
local accounts manage andwith _local_ Administrator
credential theft, reviewpasswords, and isPass-the-Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the "[Mitigating therefore not recommended(PtH) Attacks and (or sup
Ot
included
```
To establish withthe recommended configuration via GP, set the following UI path to `Disa
full The recommendedMore [Stop
stateinformation
using
for this SMB1
setting
onMicrosoft
|Microsoft
Storage
this canLocal
is: `Enabled:at
be Microsoft](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-us
Disable
found ``` at
Navigate driver`.
the following
to the UI Some
links:
Path legacy
articulated OSesin (e.g.
the Windows
Remediation XP, S
section and
**Note:**
Computer
To establish Local
This Group Policy pathconfiguration
Configuration\Policies\Administrative
the recommended does not exist viaby default.
Templates\MS
GP, set the Anfollowing
additional Group
path toPolicy
SecurityUIGuide\Config `Ena
For more
This settinginformation
configuresaboutthe server-side Administrator
`LocalAccountTokenFilterPolicy`,
processing of theUI see Microsoft Knowledge
version Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\m
Server
Path Message Block 1 (SMBv1) articleprotocol.
951016: [Description o
Administrator
```
full **Note:** Do not, _under
[Disable
[Stop any
usingSMB SMB1v1 inPassword
circumstances_,
| Managed
StorageconfigureatEnvironments```
this overall
with toinGroup
setting Policy
as `Disabled`,
– "StayOSes Safe"
asin doing
Microsoft](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-us
```
Navigate
articulated the
theUI Some
Path legacy
articulated Cyber
(e.g.
the so Security
will delete
Windows
Remediation Blog](https:/
XP, the
S underl
section and
Password
**Note:**
Computer
``` This Group Policy path
Configuration\Policies\Administrative does not exist by default. An additional
Templates\MS Group Policy
Security Guide\Config
The recommended
Windows
When includes
WDigest state forforthis
support
authentication is setting
Structured
enabled,Solution (LAPS).
`Enabled`.
is:Exception
`Disabled`.
Lsass.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\La
Handling
retains aOverwrite
Remediation copy of the Protection (SEHOP).
user's plaintext We recommend
password in memory, enabling
where itthis ca
Solution
```
Computer (LAPS).
Configuration\Policies\Administrative Templates\MS
To establish the recommended configuration via GP, set the following UI path to `Disa Security Guide\Enable
full [Disabling
[Disable
This feature SMBSMBv1 deinthrough
is v1 Managed Group Policy
Environments``` – Microsoft
```
Navigate
section with
and theSecurity
to Group PolicyGuidance
UI After
Path you– "Stay
enable
articulated blog](https://blogs.technet.micros
Safe"
SEHOP,
in theCyber Security
existing
Remediation verBlog](https:/
section and
**Note:** This Group Policy path does not exist by default. An additional Group Policy
```
The more
For recommended
information state
aboutfor local
this setting
accounts is: `Enabled`.
and credential HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
theft, review
confirm it is setthe "[Mitigating Pass-the-Hash (PtH) Attacks and Ot
**Note:**
``` This Group Policy path does not exist by default. An additional Group Policy
full [Disabling
PreventingSMBv1 the pla through Group Policy ``` – Microsoft Security
``` prescribed.
as NoneGuidance
- this is also blog](https://blogs.technet.micros
the default confi
Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDige
For more
This sectioninformation
contains about `UseLogonCredential`,
recommendations for the Microsoft see This
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
Microsoft groupKnowledge
Solutions for Security
policy Base
(MSS) article 2871997: [Microsoft Security Adv
settings.
More
``` establish the recommended configuration via GP, setenable
To information is available at [MSKB 956607: How to Structured
the following UI pathException
to `Disa
accepted This setting is separate from the Welcome screen feature ``` in Windows
setting is backed XP and Windows Vista; if that feature is disabled, thi
**Note:** This Group Policy path does not exist by default. An additional Group Policy
The recommended
This Group Policy sectionstate for is this setting
provided byis: the`Disabled`.
Group Policy by template
the following `MSS-legacy.admx/adml` that is available from this Tec
To``` establish the recommended configuration via GP, set the following UI path to `Ena
full For additional information,
If you configure
see Microsofta Knowledge Base registry
articlelocation:
Navigate 324737:
to the UI [How
None to
- this
turnison
Path articulated theautomatic
indefault behavior.
logon in Windows](http
the Remediation section and
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (Auto
IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through th
```
To``` establish the recommended configuration via GP, set the following UI path to `Ena
full The recommendedAn state for this
attacker setting is: `Disabled`. Navigate
could ``` to the UI AllPath incoming
articulated sourcein the routed packets w
Remediation section and
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\MSS (Legacy)\MSS:Group Policy (Disa
Thesource
IP recommended
routing is state for this setting
a mechanism that allowsis: `Enabled:
the sender HKEY_LOCAL_
Highest
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T
protection,
to determine thesource
IP route routing
that aisdatagram
completely disabled`.
should take through the
```
To``` establish the recommended configuration via GP, set the following UI path to ```Dis
full An attacker could MACHINE\SOFT
```
```
Navigate to the UI AllPath incoming
articulated sourcein the routed packets w
Remediation section and
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\MSS (Legacy)\MSS:Group Policy (Disa
The recommended
Internet Control Messagestate for this setting
Protocol (ICMP) is: `Enabled:
redirects cause WARE\Microsoft\
Highest
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T
theprotection,
IPv4 stacksource to plumb routing
host is completely
routes. Thesedisabled`.
routes override the O
The DLL search order can be configured ```
To``` establish
to searchthe forrecommended
DLLs that are configuration
requested by via GP, set
running the following
processes in one UIofpath
two to `Ena
ways:
full This NetBT
The behavior is ex is designed not toNavigate
protocol Windows
```
``` to the UI When
use authentication, Path Routing
andarticulated
is thereforeandin theRemote
vulnerable Access
Remediation Servi
to spoofing.
sectionSpoofand
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\MSS (Legacy)\MSS:Group Policy (Enab
The recommended
NetBIOS over TCP/IP state
is afor this setting
network protocol is: `Disabled`. NT\CurrentVersi
that among HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T
other things provides a way to easily resolve NetBIOS names that
- Search folders specified in the system ```
To``` path
establishfirst, the
andrecommended
then search the configuration
current working via GP,folder.
set the following UI path to `Ena
full An attacker could send a request overNavigate on\Winlogon:Aut
```
```the network to the and
UI query
None -athis
computer
Path articulated is theindefault
totherelease behavior.
Remediationits NetBIOS section name.
and
- Search current working folder first, and **Note:**
Computer This
then search Group Policy specified
path doesinnot
Configuration\Policies\Administrative
the folders theexist
systemby default.
path. An additional
Templates\MSS (Legacy)\MSS:Group Policy (NoN
oAdminLogon
The recommended state for this setting is: `Enabled`. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N
```
To``` establish the recommended configuration via GP, set the following UI path to `Ena
full The result
If a user of such an attack could beNavigate
unknowin ```
to
``` cause to intermittent
the UI None
Path connectivity
- this is the
articulated issues the on
indefault the target computer,
behavior.
Remediation section andor
When enabled, the registry value is set **Note:**
Computer
to 1. With This a Group
settingPolicy path
Configuration\Policies\Administrative
of 1, the does first
system not exist
searchesby default.
Templates\MSS
the folders An additional
that
(Legacy)\MSS:Group Policy
are specified (Safe
in th
Windows includes a grace period between when the screen HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se
saver is launched and when the console is actually locked auto
```
To``` establish the recommended configuration via GP, set the following UI path to `Ena
full The default
This setting can generate grace audit in the SecurityNavigate
a security ```
```
event logtowhen the UItheUsers
Path will haveato
log articulated
reaches in enter
user-defined their passwo
the Remediation threshold. section and
Applications will be forced to search for **Note:**
DLLs inThis
Computer the Group
systemPolicy path first.
path For
Configuration\Policies\Administrative does applications
not exist by that
default.
require
Templates\MSS Anunique
additional versions
(Legacy)\MSS:GroupofPolicythese
(Scre
The recommended state for this setting is: `Enabled: 5 or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
fewer seconds`. NT\Cu
```
```
full The recommendedIfstate the Security
for this setting
lo is: `Enabled: 90% ```
```or less`. An audit event will be generated whe
The recommended state for this setting is: `Enabled`.
**Note:**
Computer This Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\MSS (Legacy)\MSS:Group Policy (War
This section contains recommendations for network settings. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E
```
accepted **Note:** If log settings are configured to Overwrite events ``` as needed or Overwrite events older than x days, this event will
**Note:** This Group Policy path does not exist by default. An additional Group Policy
Group Policy
This section section isblank
is intentionally providedand by existsthe to Group
ensure Policy template `Windows.admx/adml`
the structure of Windows benchmarks that is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Bits.admx/adml`
the structure that is included
of Windows benchmarks with all versions of the
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `PeerToPeerCaching.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
This Group Policy section is provided by the Group Policy template `nca.admx/adml` that is included with the Microsoft 8.0
(broadcast)
multicast over a take effect until
```
system
local only uses
network link the computer has
Computer
broadcasts.
on a single been restarted.
Configuration\Pol
- A P-node
subnet from a icies\Administrati
(point-to-point)
client computer **Note #2:**
ve
system
to another uses only
client Although
Templates\Netw
This section contains recommendations related to DNS Client.
name queries
computer on the to Microsoft does
ork\DNS
accepted
a name
same subnet
serverthat not provide off
Client\Turn an
This Group Policy section is provided by the Group Policy template `DnsClient.admx/adml` that is included with all versions
(WINS).
also has LLMNR ADMX template
multicast name
full In order to help m Navigate to the UI ReNetBIOS
Path articulated
name resolution
in the Remediation
queries will section and
- An M-node
enabled. LLMNR to configure this
resolution
An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and
(mixed)
does notsystem
require registry value, a
```
full ``` In the event DNS is unavailable a sy
broadcasts
a DNS server first,
or custom .ADM
This section is intentionally
**Note:** blank
To completely
and existsmitigate
to ensure local
the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
name
structure
resolution
of Windows
poisoning,
benchmarks
in addition is consistent.
to this setting, the propertie
then queries
DNS client the template (`Set-
**Note:** This
```
name server
configuration, NetBIOS-node-
Group Policy
This section
Group Policyis intentionally
section isblank
provided
and byexists
the to
Group
ensure Policy
the structure
template `GroupPolicy.admx/adml`
of Windows benchmarks isthat consistent.
is included with the Micro
(WINS).
and provides type-may not
path
accepted
- An H-node
name resolution KB160177.adm`)
exist by default.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensure Policy template `hotspotauth.admx/adml`
the structure of Windows benchmarks is that is included with the Micro
consistent.
(hybrid)
in scenariossystem in is is
It provided
provided in by
the
accepted
queries the name
which CISGroup
the Benchmark
Policy
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensure Policy template `LanmanServer.admx/adml`
the structure of Windows benchmarks is consistent. that is included with the M
server (WINS)
conventional Remediation Kit
template
first, then
DNS name to facilitate its
`DnsClient.admx/
Group Policy
This section section
contains is provided by for
recommendations theLink-Layer
Group Policy template
Topology `LanmanWorkstation.admx/adml`
Discovery settings. that is included with t
broadcasts.
resolution is not configuration.
adml` that is Be
accepted aware though
possible. included with the
This Group Policy
The section section
contains is providedthat
recommendations by forthe Group Policy
Microsoft
simply template Networking
Peer-to-Peer `LinkLayerTopologyDiscovery.admx/adml`
Services settings. that is includ
Microsoft
accepted
recommended
The turning off8.0
Windows the&
This Group
for thisPolicy
statesection
recommended section isblank
is intentionally provided by
andServer thepolicy
exists
group Group
to ensure
2012 Policy template `P2P-pnrp.admx/adml`
the structure of Windows benchmarks that is included with all versions
is consistent.
accepted settingforis:this
state setting in the
(non-R2)
This Group
is: Policy
section
`NodeType
setting 0x2 section
- contains is providedTo
recommendations byestablish
.ADM thetemplate
for Groupthe
Network
Administrative Policy templatesettings.
Connections
recommended `P2P-pnrp.admx/adml`
configuration via GP, set thatthe
is included
followingwith all versions
UI path to `Ena
accepted (2)`.
`Enabled`. will not "undo"
Templates (or Navigate to the UI Path articulated in the Remediation section and
This can
You Group usePolicy section
this procedure is to
The Network provided
controls
Bridgebysetting,
```
To
the the Group
user's ability
establish
newer).change the
oncePolicy
if enabled, template
torecommended
install
allows `NetworkConnections.admx/adml`
and users
configure
to create
a Network
configuration a via
Layer
Bridge.
GP, 2 set
Mediathe Access thatControl
following isUIincluded
path(MAC)with
br
to `Ena
full Computer Configuration\Policies\Administrative
applied. Instead, ```
Navigate to the UI Users
Path cannotTemplates\Network\Network
articulated create
in theor configure
Remediation a N Connect
section and
The recommended
This policy setting In state
an enterprise
for this
determines setting
managed
whetherthetois:
``` `Enabled`.
environment,
require
opposite domain HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
where
users tothere is awhen
elevate needsetting
to control network location.
a network's traffic to only authorize
full Allowing blank
This section is intentionally regularand
u Computer
exists to ensure
setting must be ```
Configuration\Policies\Administrative
the```structure of Domain
Windows users
Templates\Network\Network
benchmarks must iselevate
consistent.when setti Connect
The recommended state for this setting **Note:**
``` toThis Group
is: `Enabled`.
applied Policy path is provided by the Group Policy template `NetworkCo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted This Group Policy section is providedchange by the Group
the Policy ``` template `WindowsFirewall.admx/adml` that is included with all v
This section is intentionally blank and**Note:** exists to
registry This
ensure
value Group
to Policy path
the structure of may not exist
Windows by default.
benchmarks is It is provided by the Group
consistent.
accepted **Note:** This section was initially named _Windows
the opposite Firewall_ but was renamed by Microsoft to _Windows Defender Firew
Group Policy
This section section isblank
is intentionally provided by
andstate. the to
exists Group
ensure Policy template `NCSI.admx/adml`
the structure of Windows benchmarks that is is
included
consistent.with all versions of t
In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Polic
accepted To establish the recommended configuration via GP, set the following UI path to `Ena
Group Policy
This section section
contains is provided by for
recommendations theNetwork
Group PolicyProvidertemplate `NetworkIsolation.admx/adml` that is included with the
settings.
Once the new GPO template is in place, Navigate
the following
to the UIare
Path
thearticulated
minimum requirements
in the Remediation to remediate
sectionthe
andG
accepted This policy setting configures secure `\\*\NETLOGON
access to UNC paths. RequireMutualAuthentication=1, RequireIntegrity=1`
This Group Policy section is provided`\\*\SYSVOL by the GroupRequireMutualAuthentication=1,
Policy template `NetworkProvider.admx/adml`
RequireIntegrity=1` that is included with the
`\\*\NETLOGON RequireMutualAuthentication=1, ``` RequireIntegrity=1`
full The recommended state for this setting is: `Enabled, with "Require Mutual Windows Authentication"
only allows
and "Require
access toIntegrity"
the spe set for al
`\\*\SYSVOL RequireMutualAuthentication=1, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
RequireIntegrity=1`
This section is intentionally blank and ``` exists to ensure the structure of Windows benchmarks is consistent.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted **Note:** If the environment exclusively Computer
containsConfiguration\Policies\Administrative
Windows 8.0 / Server 2012 or higherTemplates\Network\Network
systems, then the "`Privacy`" Provider
setting
**Note:** A reboot may be required after ``` the setting is applied to a client machine to access the above p
Group Policy
This section section isblank
is intentionally and```
provided by the to
exists Group
ensure Policy template `OfflineFiles.admx/adml`
the structure of Windows benchmarks that is included with all version
is consistent.
accepted **Note:** This Group Policy path does not exist by default. An additional Group Policy
Additional guidance on the deployment of this security setting is available from the Microsoft Premier Fie
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensure Policy template `QOS.admx/adml`
the structure of Windows benchmarks that is is
included
consistent.with all versions of th
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Snmp.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of t
consistent.
accepted
Group Policy
This section section
contains is provided
TCP/IP by thesettings.
configuration Group Policy template `CipherSuiteOrder.admx/adml` that is included with all
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `tcpip.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft W
is consistent.
accepted
Group Policy
This section section
contains is provided
TCP/IP by configuration
parameter the Group Policy template `tcpip.admx/adml` that is included with the Microsoft W
settings.
accepted
Group Policy
This section section
contains is provided by for
recommendations theWindows
Group Policy template
Connect Now `tcpip.admx/adml`
settings. that is included with the Microsoft W
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
theWindows
for GroupthePolicy template
Connection
recommended `WindowsConnectNow.admx/adml`
Manager settings.
configuration via GP, set the following thatUI
is path
included with
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
preventsiscomputers
provided```by the connecting
from Group Policy to template `WCM.admx/adml`
both a domain based networkthat andisaincluded with the
non-domain basedMicrosoft
networkW
full Blocking simultaneComputer Configuration\Policies\Administrative
``` None - thisTemplates\Network\Windows
is the default behavior. Connec
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
to ensure the structure of Windows benchmarks is consistent.
accepted ```
This Group
sectionPolicy section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`Windows.admx/adml`
Windows benchmarks that It
is is is provided
included
consistent. byall
with theversions
Group
accepted
This Group
sectionPolicy section
contains is provided by for
recommendations theSystem
Group Policy template `Windows.admx/adml` that is included with the Microso
settings.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `srm-fci.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft W
consistent.
accepted
Group Policy
This section section
contains is provided
settings byauditing
related to the Group Policy template
of process creation`appv.admx/adml`
events. that is included with the Microsoft W
accepted
This Group Policy section is provided by the Group Policy template `AuditSettings.admx/adml` that is included with the Mic
To establish the recommended configuration via GP, set the following UI path to `Disa
Navigate to the UI Path articulated in the Remediation section and
This policy setting determines what information
``` is logged in security audit events when a new process has been created.
full When this policy s Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Audit
is the default behavior. Process Cre
The recommended
This section containsstate
settings
for this
related
setting
```
to is:
To Credential
`Disabled`.
establish Delegation.
the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
recommended configuration via GP, set the following UI path to `Ena
accepted Remote host allows delegation of non-exportable credentials. ```
Navigate When
to the
using
UI Path
credential
articulated
delegation,
in the devices
Remediation
provide
section
an export
and
This Group Policy section
_Restricted
is provided **Note:**
Admin```Mode_
by the GroupThisdesigned
was Group Policy
Policy template path
to help may administrator
protect not exist by default.
`CredSsp.admx/adml` that isIt included
accounts isbyprovided
ensuringbythat
with the
all Group
versions
reusabl
full The recommended_Windows
state for this
Defender
setting
Computer
Remote
is: `Enabled`.
Configuration\Policies\Administrative
Credential
``` Guard_ helps you Theprotect
host will
Templates\System\Credentials
your
support
credentials
the _Restric
over a RemoteDeleg
Desk
This section is intentionally
Both features
blankshould
and```
exists
be enabled
to ensureandthe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
supported,
structure as
of Windows
they reduce
benchmarks
the chanceisof consistent.
credential theft.
accepted **Note:** More detailed information on Windows Defender ``` Remote Credential Guard and how it compares to Restricted Ad
This section
Group Policy
is intentionally
section isblank and**Note:**
provided by
exists
the to This
Group
ensureGroup
Policy Policy path
the structure
template of may not exist by default.
`DeviceGuard.admx/adml`
Windows benchmarks It
isthatis is
provided
includedbywith
consistent. the the
Group
Mic
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TPM.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft W
is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceInstallation.admx/adml`
the structure that is included with all
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceRedirection.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DiskNVCache.admx/adml`
the structure that is included with all vers
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DiskQuota.admx/adml`
the structure of Windows benchmarksthat is included with all version
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Display.admx/adml`
the structure that is
of Windows benchmarks is consistent.
included with the Microsoft
accepted
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an E
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DCOM.admx/adml`
the structure of Windows benchmarksthat is
is included with all versions of
consistent.
accepted
- `Good`: The driver has been signed and has not been tampered with.
Group Policy
This section section
contains is providedTo
recommendations byestablish
theconfiguring
for GroupthePolicy template
boot-start
recommended `DeviceInstallation.admx/adml`
driver initialization
configuration viasettings. that is included
GP, set the following UI path with all
to `Ena
- `Bad`: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initiali
accepted Navigate to the UI Path articulated in the Remediation section and
- `Bad, but required for boot`: The driver has been identified as malware, but the computer cannot successfully boot withou
This Group Policy section is provided``` by the Group Policy template `EarlyLaunchAM.admx/adml` that is included with the M
- `Unknown`: This driver has not been attested to by your malware detection application and has not been classified by the
full This policy settin Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Early
is the default behavior. Launch Antim
This section is intentionally blank and```
exists to ensure theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Ea
structure of Windows benchmarks is consistent.
If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`EnhancedStorage.admx/adml`
Windows benchmarks is It is provided by the with
that is included
consistent. Groupthe
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launc
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `srm-fci.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft W
consistent.
The recommended state for this setting is: `Enabled: Good, unknown and bad but critical`.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FileServerVSSAgent.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy templates `FileServerVSSProvider.admx/adml` that is included w
accepted This Group Policy section is provided by the Group Policy template `FileSys.admx/adml` that is included with all versions o
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with
Group Policy
This section section
contains is providedTo
recommendations byestablish
theconfiguring
for GroupthePolicy template
group `FolderRedirection.admx/adml`
policy-related
recommended settings.
configuration that is included
via GP, set the following UI path with all
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This "Do
The Group
notPolicy
apply section is provided
during periodic byestablish
background
```
To the Group Policy
processing"
the template `GroupPolicy.admx/adml`
option prevents
recommended the system
configuration fromset
via GP, that
updating is included
affected
the following UIwith
pathall
toversio
policies in th
`Ena
full Setting this optio Computer Configuration\Policies\Administrative
```
Navigate to the UI Group Policies
Templates\System\Group
Path articulated will be reapplied
in the Remediation eve section
Policy\Conf
and
recommended
The "Process even state
if the for this Policy
Group setting
To is: `Enabled:
```objects
establishhave FALSE`
thenot HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
(unchecked).
changed"
recommended option updates and
configuration reapplies
via GP, set the policies even
following UIifpath
the policies
to `Disa
full ```
Setting this optio Computer Configuration\Policies\Administrative
```
Navigate to the UI Group Policies
Templates\System\Group
Path articulated will be reapplied
in the Remediation eve section
Policy\Conf
and
The recommended
This state for Group
policy setting prevents **Note:**
this setting
Policy
``` is:from This
beingGroup
`Enabled: TRUE` Policy path
themay not exist byuse.
default.
This Itpolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
updated (checked).
while computer is in is provided
settingby the Group
applies to Gr
full ```
This setting ensur Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Group
is the default behavior. Policy\Turn
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Disabled`.
exists Group
ensure Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the structure Windows benchmarks is provided by the Group
consistent.
accepted ```
Group Policy
This section section
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Internet path is provided by the Group Policy template
`GroupPolicyPreferences.admx/adml`
Communication Management. that is`GroupPoli
included w
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Internet template `Windows.admx/adml`
Communication
recommended settings.
configuration via GP, setthattheis included
followingwith all versions
UI path to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
controlsiswhether
provided bycomputer
the
```
To the Group
establish Policy
can
the template
download
recommended `Windows.admx/adml`
print driverPrint
packages
drivers
configuration over
via GP, that
cannot
HTTP.
set is included
be
the downloaded
To set up
following with
HTTP
UI all versions
over
path printing,
HTTP.
to `Ena
full Users might downlo Computer Configuration\Policies\Administrative
```
Navigate Templates\System\Internet
to the UI Path articulated in the Remediation section Communiand
The recommended
This state forwhether
policy setting controls this setting
``` is:
Windows
To `Enabled`.
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
will download **Note:**
a list of providers
the recommended for the
configuration This
viaWeb
GP,policy setting
publishing
set the does
and
following notpath
online
UI prevent
ordering the
to `Enaw
full ```
Although the risk Computer Configuration\Policies\Administrative
```
Navigate to the UI Windows isTemplates\System\Internet
Path articulatedprevented from downloadin
in the Remediation Communi
section and
The
This recommended state for
policy setting allows youthis **Note:**
setting
```
to disable is: Thiscomputer's
the`Enabled`.
client Group Policy path
to is provided by computer
thewhich
Groupallows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
ability printThe
over
client
HTTP, Policy
will template
notthe
be able to`ICM.admx
computer print
to print
to Int
full ```
Information that i Computer Configuration\Policies\Administrative
``` Templates\System\Internet Communi
The
This recommended state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Enabled`.
exists ensureGroup Policy path of is provided byThis
the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure **Note:**
Windows benchmarks policy Policy template
is setting affects the
consistent. `ICM.admx
client side
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of is providedbenchmarks
`iSCSI.admx/adml`
Windows by thethat
Group Policy template
isisincluded `ICM.admx
with all versions
consistent. of t
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `KDC.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft W
is consistent.
Group Policy
This section section
contains is provided by for
recommendations theLocale
GroupServices
Policy template `Kerberos.admx/adml` that is included with all versions
settings.
accepted
This Group Policy section is provided by the Group Policy template `Globalization.admx/adml` that is included with all versi
This section contains recommendations related tothe
To establish therecommended
logon process configuration
and lock screen.
via GP, set the following UI path to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This policy
Group setting
Policy section
allows you
is provided
to control
```
bywhether
To the Group
establish anyone
Policy
the cantemplate
recommendedinteract`Logon.admx/adml`
with availablevia
configuration networks
GP,thatset
isUIthe
included
onfollowing
the logon
withUIall
screen.
versions
path of
to `Ena
full An unauthorized usComputer Configuration\Policies\Administrative
Navigate
``` to the UI The
PathPC's
articulated
network
Templates\System\Logon\Do
inconnectivity
the Remediation state section
notand
disp
The recommended
This policy setting prevents
state for connected
this setting
```users
To is: `Enabled`.
from the
establish being HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
enumerated configuration
recommended on domain-joined
via GP, computers.
set the following UI path to `Disa
full A malicious user c Computer Configuration\Policies\Administrative
```
```
Navigate to the UI The
PathLogon Templates\System\Logon\Do
UI willinnot
articulated theenumerate
Remediation an section
notand
enu
The recommended
This policy setting allows
state for
local
this
users **Note:**
setting
to
```
To be
is: Thisthe
enumerated
`Enabled`.
establish Group on Policy pathconfiguration
maycomputers.
not existviabyGP,
default. It isfollowing
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
domain-joined
recommended set the providedUIbypaththe to
Group
`Ena
full A malicious user c Computer Configuration\Policies\Administrative
```
```
Navigate to the UI None - thisTemplates\System\Logon\Enumerate
is theindefault
Path articulated behavior. section and
the Remediation
The recommended
This policy setting allows
state for
youthis **Note:**
to prevent
setting
```
To is:
app Thisthe
`Disabled`.Group
notifications
establish Policy pathconfiguration
mayonnot
theexist by default. It isfollowing
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
from
recommended appearing lock
via screen.
GP, set the providedUIbypaththe to
Group
`Ena
full This policy setting App notifications
allows you to control Computer
To whether
establishConfiguration\Policies\Administrative
a the
domain ```
```user can
Navigate
recommended to the
sign inNo
UI Pathapp
using anotifications
Templates\System\Logon\Turn
articulated
configuration picture
via GP, password.
in the
set areRemediation
the displayedUIonpath
following tooff
section ap
and
`Disa
The recommended state for this setting **Note:**
``` is: `Enabled`.
This Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path may not exist by default. It is provided by the Group
full The recommended
This policy setting Picture
state for
allows passwords
you this setting
Computer
to control
``` is: `Enabled`.
whether Configuration\Policies\Administrative
a domain ``` user can
Navigate to the inUsers
signUI Path will not
Templates\System\Logon\Turn
usingarticulated bein
a convenience able to
thePIN. setInup
Remediation or si section
Windows 10,off pic
conve
and
**Note:** This
```
Computer Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path may not exist by
Configuration\Policies\Administrative default. It is provided by the Group
Templates\System\Logon\Turn on con
full **Note:** The
If theuser's
picture
A PIN
domain
password
is created
password
feature
f ```will
is be
permitted,
cached thein```
```
the
user's
system
domain
vaultpassword
when
Noneusing
- this
is cached
this
is the
feature.
default
in the system
behavior.vault when using
This section is intentionally blank and**Note:**
exists to This
ensureGroup HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the Policy path
structure of may not exist
Windows by default.
benchmarks is It is provided by the Group
consistent.
The recommended state for this setting **Note:**
is: `Disabled`.
This Group ``` Policy path may not exist by default. It is provided by the Group
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy template `GroupPolicy.admx/adml`
the structure of Windows benchmarks isthat is included with the Micro
consistent.
accepted **Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy template `Netlogon.admx/adml`
the structure of Windows benchmarks that is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `OSPolicy.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `PerfCenterCPL.admx/adml`
the structure that is only included with t
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by for
recommendations thePower
GroupManagement
Policy template `Passport.admx/adml` that is included with the Microso
settings.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with the Microsoft W
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Power.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Power template `Power.admx/adml`
Management
recommended Sleep mode.
configuration via GP,thatsetis the
included withUI
following the Microsoft
path to `EnaW
accepted Navigate to the UI Path articulated in the Remediation section and
This Group
Specifies Policy section
whether is provided
or not the byestablish
user is prompted
```
To the Group Policy
for athe
passwordtemplate
when `Power.admx/adml`
recommended the system resumes
configuration via GP,that
from
setissleep.
included
the withUI
following allpath
versions of
to `Ena
full Enabling this sett Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\System\Power
is theindefault
Path articulated behavior. section
the Remediation Managemeand
The recommended
Specifies whether orstate for this
not the usersetting ``` is: `Enabled`.
is prompted HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
for a password when the system resumes from sleep.
full ```
Enabling this sett Computer Configuration\Policies\Administrative
``` None - thisTemplates\System\Power
is the default behavior. Manageme
The recommended
This state forblank
section is intentionally this setting
and```**Note:** to This
is: `Enabled`.
exists ensureGroup Policy pathof may not exist by default. is It
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\P
the structure Windows benchmarks is provided by the Group
consistent.
accepted ```
Group Policy
This section section
contains is providedTo
recommendations **Note:**
byestablish This
the Group
related totheGroup
Policy
Remote Policy
templatepath
Assistance.
recommended may not existvia
`ReAgent.admx/adml`
configuration byGP,
default.
that
set theisIt included
isfollowing
provided UIbypath
with theMicroso
the Group
to `Disa
accepted This policy setting allows you to turn on or turn off Offer Navigate(Unsolicited)
to theRemote
UI PathAssistance
articulatedon inthis
the computer.
Remediation section and
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `RemoteAssistance.admx/adml`
recommended configuration via GP, set the following that is included
UI path towith al
`Disa
full Help desk and support
A userpersonnel
might bewilltr Computer
not be able Configuration\Policies\Administrative
to proactively
```
Navigate offer assistance,
to the UI None -although
thisTemplates\System\Remote
is the
Path articulated they
indefault
the can still
behavior.
respondsection
Remediation toAssistanc
userand
ass
This policy setting allows you to turn on HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
``` or turn off Solicited (Ask for) Remote Assistance on this computer.
full The recommendedThere state is
forslight
this setting is: `Disabled`.
ri Computer ```
Configuration\Policies\Administrative
``` Users on thisTemplates\System\Remote
computer cannot use e- Assistanc
The recommended
This section containsstate for this setting
recommendations **Note:**
```
To is: This
`Disabled`.
related
establishtotheGroup Policy pathconfiguration
may not existviabyGP,
default.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Remote Procedure
recommended Call. set the It isfollowing
providedUIbypaththe to
Group
`Ena
accepted This policy setting controls whether RPC clients authenticate ```
Navigatewithtothe
theEndpoint
UI Path Mapper
articulated
Service
in thewhen Remediation
the call they
section
are and
mak
This Group Policy section is provided``` **Note:**
by the GroupThis Group Policy path
Policy template may not exist bythat
`RPC.admx/adml` default. It is provided
is included with allby the Group
versions of th
full **Note:** This policy
Anonymous
will not be access
in effect
Computer
t until theConfiguration\Policies\Administrative
system ```is rebooted. RPC clientsTemplates\System\Remote
will authenticate to the Procedure
This section is intentionally blank and``` exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted The recommended state for this setting is: `Enabled`. ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of may not exist by default.
`RemovableStorage.admx/adml`
Windows benchmarks is It is provided by the Group
that is included
consistent. with a
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Scripts.admx/adml`
the structure that is
of Windows benchmarks is included with all versions of
consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `ServerManager.admx/adml`
the structure that is included with all ve
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinInit.admx/adml`
the structure that is
of Windows benchmarks is included with the Microsoft
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Winsrv.admx/adml`
the structure that is
of Windows benchmarks is included with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `StorageHealth.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
This Group Policy section is provided by the Group Policy template `SystemRestore.admx/adml` that is included with all ve
This section contains recommendations related to Troubleshooting and Diagnostics.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Windows.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with all versions
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `pca.admx/adml`
of Windows benchmarks
that is included
is consistent.
with all versions of the
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `FileRecovery.admx/adml`
of Windows benchmarks isthat
consistent.
is included with all versi
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `DiskDiagnostic.admx/adml`
of Windows benchmarks is consistent.
that is included with all ver
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Microsoft `fthsvc.admx/adml`
Support that is included with the Microsoft W
Diagnostic Tool.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MSDT.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Msi-FileRecovery.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `sdiagschd.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `sdiageng.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `PerformanceDiagnostics.admx/adml`
the structure of Windows benchmarks is consistent.that is included w
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `LeakDiagnostic.admx/adml`
Performance PerfTrack. that is included with all ve
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `PerformancePerftrack.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to User template `TPM.admx/adml` that is included with all versions of th
Profiles.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserProfiles.admx/adml`
the structure of Windows benchmarks isthat is included with all versio
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsFileProtection.admx/adml`
the structure that is included wi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Windows Time`HotStart.admx/adml`
Service. that is only included with the Micr
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to Time template `W32Time.admx/adml` that is included with all versions
Providers.
accepted
Group Policy
This section section
contains is provided by for
recommendations theWindows
Group Policy templatesettings.
Component `W32Time.admx/adml` that is included with all versions
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `adfs.admx/adml`
the structure that is only
of Windows benchmarks included with the Microso
is consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `ActiveXInstallService.admx/adml` that is included with
accepted This Group Policy section is provided by the Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
**Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AppxPackageManager.admx/adml`
the structure of Windows benchmarks is consistent. that is included wit
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
theApp
for Group Policy
runtime
the template `AppPrivacy.admx/adml`
settings.
recommended configuration via GP, setthat theisfollowing
includedUIwith paththe
toMicro
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
lets youiscontrol
provided by theMicrosoft
whether
``` Group Policy
accountstemplate `AppXRuntime.admx/adml`
are optional for Windows Store apps that thatis included
requirewith the Mic
an accoun
full Enabling this sett Computer Configuration\Policies\Administrative
``` Windows Store Templates\Windows
apps that typically Components\Ap
requ
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section
contains is providedTo
recommendations **Note:**
byestablish
for Thisthe
theAutoPlay
Group Group
Policy Policy path
template
policies.
recommended may not existvia
`AppCompat.admx/adml`
configuration byGP,
default.
setthat It isis
the provided
included
following UIby
withtheallto
path Group
versio
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
disallows is AutoPlay
providedTo by
``` the Group
forestablish
MTP Policy
devices
the liketemplate
cameras`AutoPlay.admx/adml`
recommended or phones. via GP, set
configuration thattheis included
followingwith all versions
UI path to `Ena
full An attacker could Computer Configuration\Policies\Administrative
```
Navigate to the UI AutoPlay will
Templates\Windows
Path articulated notin
bethe allowed for Components\Au
Remediation MTPsection and
The
This recommended state
policy setting sets fordefault
the this setting
```
To is:
behavior `Enabled`.
for Autorun
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
commands. Autorun
the recommended commands
configuration via GP, are
setgenerally
the following storedUIinpath
`autorun.inf
to `Ena
full Priorfrom
Autoplay starts to read to Windows VComputer
a drive as soon as you insert```
Configuration\Policies\Administrative
```media in
Navigate tothe UI AutoRun
thedrive,
Path
which commands
Templates\Windows
articulated
causes in
thethe will
setup befile
completel
Remediation Components\Au
for programs
section and or au
The recommended state for this setting **Note:**
``` This Group
is: `Enabled: Policy pathany
may not exist by default. It is provided by the Group
DoHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
not execute autorun commands`.
full **Note:** You cannotAn use
attacker
this policy
could setting
Computer to enable ```
Configuration\Policies\Administrative
Autoplay
``` on computer Autoplay
drives inwill
Templates\Windows
which
be disabled
it is disabled- users byComponents\Au
wil
default, such a
This section is intentionally blank and``` **Note:**
exists to This
ensureGroup Policy path
of may not exist by default.is It
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the structure Windows benchmarks is provided by the Group
consistent.
accepted The recommended state for this setting is: `Enabled: All``` drives`.
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
template
the structure of is providedbenchmarks
by the Group
`UserDataBackup.admx/adml`
Windows Policythattemplate
is consistent. `AutoPlay.a
is only included with
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Biometrics.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
This Group Policy section is provided by the Group Policy template `VolumeEncryption.admx/adml` that is included with all
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Camera.admx/adml`
of Windows benchmarks
thatisisconsistent.
included with the Microsoft
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `CloudContent.admx/adml`
of Windows benchmarks is consistent.
that is included with the Mic
This section
Group Policy
contains
section
recommendations
is providedTo byestablish
related
the Grouptothe
the
Policy
Credential
template
recommended User
`WirelessDisplay.admx/adml`
Interface. via GP, set the that
configuration is included
following UI path with the M
to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This policy
Group setting
Policy section
allows you
is provided
to configure
```
byestablish
To the
theGroup
display
Policy
the of thetemplate
password
recommended `CredUI.admx/adml`
reveal buttonvia
configuration in GP,
password
that
setisthe
included
entry user
withUI
following experiences.
allpath
versions of
to `Disa
full This is a useful f Computer Configuration\Policies\Administrative
```
Navigate to the UI The
PathpasswordTemplates\Windows
articulated reveal
in thebutton will Components\Cre
Remediation not section and
The recommended
This state forwhether
policy setting controls this setting
``` is: `Enabled`.
administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accounts are displayed when a user attempts to elevate a running applica
full Users could see thComputer Configuration\Policies\Administrative
```
``` None - thisTemplates\Windows
is the default behavior. Components\Cre
The recommended
This state forblank
section is intentionally this setting
and```
**Note:**
is: `Disabled`.
exists to This Group
ensure HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the Policy path
structure of may not exist
Windows by default.
benchmarks is It is provided by the Group
consistent.
```
Group Policy
This section section isblank
is intentionally provided
and**Note:**
by the to
exists Group
This Group
Policy
ensure template
Policy path
the structure `Windows.admx/adml`
of is providedbenchmarks
Windows by the Groupthat
is is
Policy
included
template
consistent. with the
`CredUI.ad
Microso
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeliveryOptimization.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sidebar.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
This section Group Policy section isblank
is intentionally provided
and by the to
exists Group
ensure Policy template `DWM.admx/adml`
the structure of Windows benchmarks that isisincluded
consistent.with all versions of t
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `DeviceCompat.admx/adml` that is included with the M
accepted This setting Group Policy section
determines is provided by EMET
if recommended the Group Policy template
mitigations are applied`WorkplaceJoin.admx/adml`
to the following popular software: that is included with the M
This section contains is intentionally blank and exists
recommendations to ensure the
for configuring structure
Microsoft of Windows
Enhanced benchmarks
Mitigation Experienceis consistent.
Toolkit (EMET).
accepted -**Note:** 7-Zip This section was initially named _Workplace Join_ but was renamed by Microsoft to _Device Registration_ startin
This
-The section
Group
Enhanced
Adobe is intentionally
Policy
Photoshop Mitigation isblank
sectionExperience and Toolkit
provided exists
by the to ensure
Group
(EMET) isthe
Policyfree structure
template `DigitalLocker.admx/adml`
of Windows
`EMET.admx/adml`
and supported benchmarks
security that
isincluded
that isdeveloped
software is included
consistent. with with allthat
Microsoft
by Microsoft versi
EME a
accepted - Foxit Reader
This
EMET
-More Group
is freePolicy
information
Google Chromeand onsection
supported
EMET, is including
provided by
security softwarethe Group
download andPolicy
developed User by template
Microsoft
Guide, `EdgeUI.admx/adml`
can that
be allows an
obtained here: that is to
enterprise included with the
apply exploit Microsoft
mitigations
accepted -This setting
Google Talkconfigures the default action after detection and advanced ROP mitigation.
Navigate to the UI Path articulated in the Remediation section and
**Note:**
iTunes Although
-[Enhanced Mitigation EMET is quite Toolkit
Experience effective at enhancing
- EMET - TechNet exploit protection on Windows server OSes prior to Server 2016, it
Security](https://technet.microsoft.com/en-us/security/jj653751
To establish the recommended configuration via GP, set the following UI path to `Ena
full -The recommended
Microsoft EMET
These
Live Writer mitigations
state for
advanced hInstall
this setting is: EMET
mitigations for 5.52
ROPNavigate
mitigations to apply
`Control Panel\Program\Programs
to all configured software in EMET: and Featu
```
**Note
-**Note:** #2:**
Microsoft EMET
Although
Lync has been
EMET
Communicator reported
is quite to beatvery
effective problematic
enhancing exploit onprotection
32-bit OSes on -Windows
we only recommend
server OSesusing it with
prior to Server64-bit OSe
2016, it
``` establish the recommended
To HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
configuration via GP, set the following UI path to `Ena
full Default Action
- Microsoft Photoand - **Deep
Mitigation
Gallery Hooks**
Settings
protects
- `Enabled`
critical APIs and theto
Navigate subsequent
the UI The Pathlower
advanced level mitigations
articulated APIs
in the used by
available
the topin
Remediation level critica
section and
Computer Configuration\Policies\Administrative
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Templates\Windows Components\EM
**Note
Deep
-This #3:**
#2:**
Hooks
setting
Microsoft Microsoft
- `Enabled` has
- **Anti
determines
SkyDrive announced
Detours**
if recommended that
renders EMET
EMET will beexploits
ineffective
mitigations End-Of-Life (EOL)
that evade
are applied on Julyby
hooks
to Internet 31, 2018. This
executing
Explorer. doesofnot
a copy themean
hooked thefuncti
softw
``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
``` establish the recommended
To configuration via GP, set the following UI path to `Ena
full Antisetting
- mIRC
This Detours - `Enabled`
-Applying
determines **Banned EMETFunctions**
if recommended mitig EMET will block callsNavigate
mitigations to are
``` `ntdll!LdrHotPatchRoutine`
to the to
applied EMET
UIthePath to mitigate
mitigations
articulated
following inwill
software:thebe potential
applied exploits
Remediation to Isection abusin
and
**Note:** This
Computer Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
**Note
Banned
-The #3:** EMET state
Functions
recommended
Mozilla Firefox has been
- `Enabled` reported
for this settingtois:be`Enabled`.
very problematic on 32-bit OSes - we only recommend using it with 64-bit OSe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
```
``` ```
To establish the recommended configuration via GP, set the following UI path to `Ena
full Exploit Acrobat
Mozilla
- Adobe Action -` User
Thunderbird Configured`
Applying EMET miti ```
```
Navigate to the UI EMET mitigationsinwill
Path articulated thebe applied to th
Remediation section and
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
Opera Acrobat Reader
- Adobe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
```
```
To establish the recommended configuration via GP, set the following UI path to `Ena
full Pidgin
- Microsoft Office suite
Applying
applications
EMET miti ```
```
Navigate to the UI EMET mitigationsinwill
Path articulated thebe applied to section and
Remediation
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
QuickTime
- Oracle
This Java
setting Player
determines how applications become enrolled HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\D
in Address Space Layout Randomization (ASLR).
```
``` establish the recommended configuration via GP, set the following UI path to `Ena
To
full RealPlayer
- WordPad ASLR reduces the p ```
```
Navigate to the UI ASLR protectionsinwill
Path articulated thebe enabled onsection and
Remediation
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
- Safari
The
This recommended
setting determines statehowfor this setting is:become
applications `Enabled: Application
enrolledHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
in DataOpt-In`.
Execution Protection (DEP).
```
``` establish the recommended configuration via GP, set the following UI path to `Ena
To
full - Skype
The recommendedDEP statemarks
for this setting
pages of is: `Enabled`. Navigate ```
``` to the UI DEP Path protections
articulated in willthebeRemediation
enabled on *a section and
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
- VideoLAN
The
This recommendedVLC statehow
setting determines for this setting is:become
applications `Enabled: Application
enrolledHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
Opt-Out`.
in Structured Exception Handler Overwrite Protection (SEHOP).
```
```
full - Winamp When a software co ```
``` SEHOP protections will be enabled on
**Note:** This
Computer Group Policy path does not exist by
Configuration\Policies\Administrative default. An additional
Templates\Windows Group Policy
Components\EM
- Windows
The
This sectionLive
recommended Mailstate forblank
is intentionally this setting is: `Enabled:
and exists to ensureApplication
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\S
the structure Opt-Out`.
of Windows benchmarks is consistent.
```
accepted - Windows Media Player ```
**Note:** This Group Policy path does not exist by default. An additional Group Policy
- WinRAR
This Group Policy
section section
contains is provided by for
recommendations theconfiguring
Group Policy thetemplate
Event Log `EventForwarding.admx/adml`
Service. that is included with the
accepted - WinZip To establish the recommended configuration via GP, set the following UI path to `Disa
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy thetemplate
Application`EventLog.admx/adml`
Event Log. that is included with all versions
accepted The recommended
This state forEvent
policy setting controls this setting
LogTo``` is: `Enabled`.
behavior
establish when the the Navigate
log file reaches
recommended to the UIitsPath
maximum
configuration articulated
size.set
via GP, in thetheRemediation
following UI path section and
to `Ena
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new forevents
this are
setting
``` is: `Disabled`. Navigate ``` None
to the UI When -event
this islogs
Path articulated theinfill
default
the behavior.
to Remediation
capacity, theysection
will stop
and
rec
This policy setting specifies the maximum Computersize of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not To
not **Note:**
be establish
``` retained Thisaccording
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
configuration automatically
by
viatheGP,Group when
setof Policy
this
the full_
template
policyUI setting.
configuration
following `EventLog.
pathis that old
to `Disa
The recommended
This section contains state for this setting is:
recommendations for`Enabled:
configuring 32,768
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
Security Event Log.
accepted This policy setting controls Event LogTo **Note
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
Navigate
recommended Windows
path
file reaches
to theisUIprovided
its PathAdministrative
Ideally,
maximum
configuration by
all
viathe
articulated
size.
GP, inTemplates,
specifically
Group
set the Policy
the monitored thisevents
template
Remediation
following setting
UI was
`EventLog.
should
section
path to andinib
`Ena
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new forevents
this are **Note
setting
``` #2:** In older
is: `Disabled`. ```Microsoft
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
articulated Templates,
theinfill
default
the this
behavior.
to Remediation
capacity, setting
they section was
will stop
andini
rec
This policy setting specifies the maximum Computersize of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not To
not **Note:**
be establish
``` retained Thisaccording
Group
the ```
```Policy
to thepath
recommended _Backup
is provided
log consequence
The
configuration automatically
by
viatheGP,Group when
setof Policy
this
the full_
template
policyUI setting.
configuration
following `EventLog.
pathis that old
to `Disa
The recommended
This section contains state for this setting is:
recommendations for`Enabled:
configuring 196,608
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the or greater`.
Setup Event Log.
accepted This policy setting controls Event LogTo **Note
**Note:**
```
behavior #2:**
establishThis
when In
theolder
Group
the Microsoft
```log
Policy
recommended
Navigate Windows
path
file reaches
to theisUIprovided
configuration
its PathAdministrative
Ideally,
maximum by
all
viathe
articulated
GP,
size. inTemplates,
specifically
Group
set the Policy
the monitored thisevents
template
Remediation
following setting
UI path was
`EventLog.
should
sectionto inib
`Ena
and
This Group Policy section is providedComputer by the Group Policy template `EventLog.admx/adml`
Configuration\Policies\Administrative that is includedComponents\Eve
Templates\Windows with all versions
full The recommendedIfstate new forevents
this are **Note
setting
``` #2:** In older
is: `Disabled`. ```Microsoft
Navigate Windows
to the None
UI When
PathAdministrative
-event
this islogs
articulated Templates,
theinfill
default
the this
behavior.
to Remediation
capacity, setting
they section was
will stop
andini
rec
This policy setting specifies the maximum Computersize of the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old events may orare
If events may not ```
not **Note:**
be retained Thisaccording
Group ```
```Policy
to thepath_Backup
is provided
log consequence
The automatically
by the Group when
of Policy
this full_
template
policy setting.
configuration `EventLog.
is that old
The recommended state for this setting is: `Enabled: 32,768 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
or greater`.
**Note #2:**
**Note:** ThisInGroup
older``` Microsoft
Policy path Windows
is provided Administrative
Ideally, by
all the Templates,
specifically
Group Policy
monitored thisevents
template setting was inib
`EventLog.
should
**Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
To establish the recommended configuration via GP, set the following UI path to `Disa
This section contains recommendations for configuring the System Event Log.
accepted This policy setting controls Event LogTo ```
behavior
establish when
the theNavigate
log file reaches
recommended to the UIitsPath
maximum
configuration articulated
size.set
via GP, in the theRemediation
following UI path section and
to `Ena
This Group Policy section is providedComputer by the Group Configuration\Policies\Administrative
Policy template `EventLog.admx/adml` Templates\Windows
that is includedComponents\Eve
with all versions
full The recommendedIfstate new for
eventsthis are
setting
``` is: `Disabled`. Navigate
``` to the UI When
None
Path articulated
-event
this islogs
theinfill
default
the
to Remediation
capacity,
behavior. theysection
will stop
andrec
This policy setting specifies the maximum Computersize ofConfiguration\Policies\Administrative
the logHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
file in kilobytes. The maximum Templates\Windows
log file size can beComponents\Eve
configured betw
full **Note:** Old eventsIf events
may orare may notnot ```
**Note:**
be retained This
according
Group```
```Policy
to thepath
_Backup
is provided
The
log consequence
automatically
by the Group of
whenthis
Policy
full_
configuration
template
policy setting.
`EventLog.
is that old
The recommended
This section is intentionally
state forblank
this setting
and exists
is: `Enabled:
to ensure32,768
the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure
or greater`.
of Windows benchmarks is consistent.
accepted **Note #2:**
**Note:** ThisInGroup
older
``` Microsoft
Policy path Windows Administrative
is provided
Ideally, by
all the Templates,
specifically
Group Policy
monitored thisevents
template setting was inib
`EventLog.
should
This section
Group Policy
is intentionally
section isblank
provided
and byexists
the toGroup
ensurePolicy
the structure
template `EventLogging.admx/adml`
of Windows benchmarks is that consistent.
is included with the Mic
accepted This section is intentionally blank and**Note exists #2:** In older
to ensure the Microsoft
structure ofWindows
Windows Administrative
benchmarksTemplates,
is consistent. this setting was ini
This Group Policy section is provided by the Group Policy template `EventViewer.admx/adml` that is included with all versio
accepted Group Policy
This section section
contains is provided by to
recommendations thecontrol
Groupthe Policy template
availability of `ParentalControls.admx/adml`
options such as menu items and that is only
tabs included
in dialog boxes.with
To establish the recommended configuration via GP, set the following UI path to `Disa
accepted **Note:**
This Group
Disabling This
Policy
Data section
section
wasPrevention
Execution isinitially
providednamed
by the
can _Parental
allowGroup Policy
Controls_
certain legacytemplate
Navigate buttowas
plug-in`WindowsExplorer.admx/adml`
the renamed
applications bytoMicrosoft
UI Path articulated
function
in theto _Family
without that isSafety_
Remediation included
terminating starting
withand
section allw
Explorer.
``` establish the recommended configuration via GP, set the following UI path to `Disa
To
full **Note:**
The recommended
This section
Data
state
was
Execution
forinitially
this setting
named
PreComputer
is:_Windows
`Disabled`.
Configuration\Policies\Administrative
Explorer_
```
Navigate but
towas renamed
the UI None - by
thisMicrosoft
Templates\Windows
is theindefault
Path articulated to _File
the behavior.
Explorer_
Remediation Components\File
starting
section and wi
Without heap termination on corruption, ``` legacy
To establish plug-in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
applications
the recommended may continue tovia
configuration function
GP, setwhen a File Explorer
the following UI pathsession
to `Disah
full **Note:** Some legacy plug-in
Allowing an applications
applic Computer and Configuration\Policies\Administrative
other software
```
```
Navigate mayto not
the function
UI None with
- thisData
is theExecution
Templates\Windows
Path articulated indefault Prevention
behavior.
the Remediation and will
Components\File
section andreq
The recommended
This state for
policy setting allows youthis setting
**Note:**
to configure
``` is: the
`Disabled`.
This Group
amount ofHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy paththat
functionality maythe notshell
existprotocol
by default.
can Ithave.
is provided
When usingby thetheGroup
full f
full ```
Limiting the openinComputer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\File
The recommended
This state forblank
section is intentionally this setting
and```
**Note:**
is: `Disabled`.
exists to This
ensureGroupHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
the Policy path
structure of is providedbenchmarks
Windows by the Group Policy template `Explorer.a
is consistent.
accepted ```
Group Policy
This section section isblank
is intentionally provided
and**Note:**
by the to
exists Group
This
ensureGroup
Policy template
Policy path
the structure `PreviousVersions.admx/adml`
of is providedbenchmarks
Windows by the Group Policy
thattemplate
is consistent. is included`WindowsE
with all
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FileHistory.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FindMy.admx/adml`
the structure that is
of Windows benchmarks is consistent.
included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `GameExplorer.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Handwriting.admx/adml`
the structure that
of Windows benchmarks is is included with the Micro
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sharing.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CaptureWizard.admx/adml`
the structure that is only included with t
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `InetRes.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section
contains is provided
settings by theand
for Locations Group Policy template `IIS.admx/adml` that is included with all versions of the
Sensors.
accepted
Group Policy
This section section
contains is provided
settings by theLocation
for Windows Group Policy template `Sensors.admx/adml` that is included with the Microsof
Provider.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `LocationProviderAdm.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `msched.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinMaps.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MDM.admx/adml`
the structure that is is
of Windows benchmarks included with the Microsoft W
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Messaging.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MSAPolicy.admx/adml`
the structure of Windows benchmarksthat is included with the Micros
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MicrosoftEdge.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FidoAuth.admx/adml`
the structure that
of Windows benchmarks is is included with the Microso
consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceCredential.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserExperienceVirtualization.admx/adml`
the structure of Windows benchmarks is consistent. that is includ
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Conf.admx/adml`
the structure that is included
of Windows benchmarks with all versions of th
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `NAPXPQec.admx/adml`
the structure that
of Windows benchmarks is is only included with the M
consistent.
accepted This section contains recommendations related to OneDrive.
This Group Policy section is provided by the Group Policy template `NetworkProjection.admx/adml` that is only included wi
accepted The Group Policy settings contained within this section are provided by the Group Policy template `SkyDrive.admx/adml` th
**Note:** This section was initially named _SkyDrive_ but was renamed by Microsoft to _OneDrive_ starting with the Micros
To establish the recommended configuration via GP, set the following UI path to `Ena
accepted **Note:**
This Group This section
Policy wasisinitially
section providednamed _Terminal
by the Services_
Group Policy but was
template renamed by Microsoft to _Remote
`TerminalServer.admx/adml` Desktop
that is included Service
with all ve
This section contains recommendations for the Remote
To establish Desktop Connection
the recommended Client.via GP, set the following UI path to `Ena
configuration
accepted **Note:**
This policyThis section
setting helpswas initiallyRemote
prevent named Desktop
_TS Licensing_
clients but was
Navigate
from torenamed
saving by Microsoft
thepasswords
UI Path toin_RD
articulated
on a computer.the Licensing_
Remediation starting
sectionwith
andth
This Group Policy section is provided``` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full The recommendedAn state
attacker
for this
with
setting
Computer
is: `Enabled`.
Configuration\Policies\Administrative
``` The password Templates\Windows
saving checkbox Components\Re
will be
This section is intentionally blank and``` exists to ensure theHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted **Note:**
This If this
section policy recommendations
contains setting was previously configured
for the Remote ```
as Disabled
Desktop or NotHost.
Session configured, any previously saved passwords wi
This Group Policy section is provided**Note:** This Group
by the Group Policy path
Policy template is provided by the Group Policy
`TerminalServer.admx/adml` that istemplate
included`TerminalS
with the M
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session H
Group Policy
This section section
contains is provided by for
recommendations theConnections
Group Policytotemplate `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included wit
accepted
Group setting
section
This policy Policy section
contains
preventsisusers
provided
recommendations
from bysharing
To the Group
related
establish tothe
the Policy
Remote
local template
Desktop
recommended
drives `TerminalServer.admx/adml`
Session
on their client Host
configuration Device
computers toand
via GP, set thethat
Resource
Remote is included
following
Desktop with
Redirection.
UI
Servers
path all
tothat
`Enave
th
accepted Navigate to the UI Path articulated in the Remediation section and
This Group Policy section is provided```
`\\TSClient\$` by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
full Data could be forwComputer Configuration\Policies\Administrative
``` Drive redirection
Templates\Windows
will not be possible
Components\Re
If local
This drivesisare
section shared they
intentionally are and
blank left```
vulnerable to intruders
exists to ensure HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the who want
structure to exploitbenchmarks
of Windows the data thatisisconsistent.
stored on them.
accepted ```
The recommended
This Group Policy
section state for
section this
isblank
is intentionally setting
and**Note:**
provided by is: `Enabled`.
the
exists This
Group
to ensure Group
Policy Policy path
template
the structure of is providedbenchmarks
by the Group
`TerminalServer.admx/adml`
Windows Policy
that istemplate
is consistent. included`TerminalS
with all ve
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TerminalServer.admx/adml`
the structure of Windows benchmarks is consistent. that is included with all ve
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _TS Connection
To establish Broker_ but
the recommended was renamed
configuration viabyGP, Microsoft to _RD Connection
set the following UI path to `Ena Brok
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Remote Desktop `TerminalServer.admx/adml`
Session Host Security. that is included with all ve
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
specifiesis whether
providedRemote
byestablish
To the Group
Computer Desktop Policy template `TerminalServer.admx/adml`
Configuration\Policies\Administrative
the Services
recommended always prompts thevia
configuration client set thethat
Templates\Windows
GP,computer forisaincluded
following password with
Components\Re
UI path to all
upon
`Enave
co
full This policy setting Users
allows have
you tothe opt``` whether RemoteNavigate
specify ``` the UI Users
DesktoptoServices Path cannot
requires
articulatedautomatically
secure inRemote log on tosection
the Remediation
Procedure Call (RPC)
and
The recommended state for this setting ``` is:
To `Enabled`.
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the recommended configuration via GP, set the following UI path to `Ena
full You can use this policy
Allowing
setting
unsecure **Note:**the
to strengthen
Computer This Group```ofPolicy path
to theisUI
provided
Configuration\Policies\Administrative
security ```
NavigateRPC communication Remote by
with the
Desktop Group thePolicy
Templates\Windows
clients
Path articulated inServices
by allowing template
accepts
Remediation only `TerminalS
Components\Re
authenticated
req
section and
This policy setting specifies whether to ```require the use of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
a specific encryption level to secure communications between clie
full The recommendedIfstateRemotefor this
Desktop **Note
setting #2:** In the ```
is: `Enabled`.
Computer Microsoft WindowsNone
Configuration\Policies\Administrative
``` Vista- Administrative
thisTemplates\Windows
is the default Templates,
behavior. this setting wa
Components\Re
The recommended
This section containsstate
recommendations **Note:**
for this setting
``` is: This
`Enabled:
related Group
High
to Remote Policy path is provided
Host by the Group
TimePolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Level`.
Desktop Session Session Limits.template `TerminalS
accepted ```
To establish the recommended configuration via GP, set the following UI path to `Disa
Group Policy
This section section
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Remote Desktop path is provided
Host by the Group
`TerminalServer.admx/adml`
Session Session Policy
Temporarythat istemplate
included`TerminalS
folders. with all ve
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
specifiesis whether
providedRemote
byestablish
To the Group
Computer Desktop Policy template `TerminalServer.admx/adml`
Configuration\Policies\Administrative
the Services
recommended retains a user's per-session
configuration thethat
viaTemplates\Windows
GP, set temporary isfolders
followingincluded with
Components\Re
UI atpath to all
logoff. ve
`Disa
full By default, RemoteSensitive
Desktop informat
Services```creates a separate ```temporary
Navigate to the UI None
folder Path
on the- this is theindefault
articulated
RD Session the
Host behavior.
Remediation
server for each sectionactive
ands
The recommended state for this setting ``` is: `Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
full To reclaim disk space,
Disabling
the temporary **Note:**
this set To
Computer
folder This
is deleted
establish Group
the ```
```Policy pathconfiguration
the user
recommended is provided
Configuration\Policies\Administrative
when logs off
Nonefrom by
- this
a the Group
viasession. Policy
Templates\Windows
is
GP,thesetdefault
the template
behavior.
following `TerminalS
Components\Re
UI path to `Ena
This section contains recommendations ``` related to RSS HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
feeds.
accepted The recommended state for this setting **Note
``` #2:** In older
is: `Disabled`. ``` Microsoft
Navigate Windows
to the UI Path Administrative
articulated inTemplates,
the Remediation this setting
section wasandna
Group setting
This policy Policy section
preventsistheprovided **Note:**
by the
user from
Computer
havingThis
Group Group Policy
Policy template path is provided
Configuration\Policies\Administrative
enclosures (file attachments) by the
`InetRes.admx/adml`
downloaded Group
that is Policy
included
Templates\Windows
from an RSS template
with
feed to`TerminalS
all versions
the user'so
Components\RS
full Allowing attachmen``` ``` Users cannot set the Feed Sync Engi
The recommended
This section containsstate for this setting
recommendations To is:
for`Enabled`.
Searchthe
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet
settings.
recommended configuration via GP, set the following UI path to `Disa
accepted **Note:** This Group ``` Policy path
Navigate to theisUI
provided by the Group
Path articulated in thePolicy templatesection
Remediation `InetRes.ad
and
Group setting
This policy Policy section
controlsiswhether
provided by the Group
encrypted
``` itemsPolicy template
are allowed `Search.admx/adml`
to be indexed. When thisthat is included
setting is changed,with alltheversions
index isofr
full **Note #2:**
Indexing and allowiComputer In older
``` Microsoft Windows
Configuration\Policies\Administrative
None Administrative Templates,
- thisTemplates\Windows
is the default this
behavior. setting was na
Components\Se
The recommended state for this setting ``` is: `Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
```
**Note:** This Group Policy path is provided by the Group Policy template `Search.ad
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SearchOCR.admx/adml`
of Windows benchmarks isthat
consistent.
is only included with the
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SecurityCenter.admx/adml`
of Windows benchmarks is consistent.
that is included with all ver
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Snis.admx/adml`
of Windows benchmarks
that is only
is consistent.
included with the Microso
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `WinInit.admx/adml`
of Windows benchmarks
that is
is included
consistent.
with all versions of
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Software `SmartCard.admx/adml`
Protection Platform. that is included with all version
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AVSValidationGP.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `SoundRec.admx/adml`
the structure of Windows benchmarksthat is included with all version
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Speech.admx/adml`
the structure that is
of Windows benchmarks is consistent.
included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinStoreUI.admx/adml`
the structure of Windows benchmarks that is included with the Micro
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `SettingSync.admx/adml`
the structure that
of Windows benchmarks is is included with the Micro
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TaskScheduler.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TextInput.admx/adml`
the structure of Windows benchmarksthat
is is only included with the Mic
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinCal.admx/adml`
the structure that is consistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsColorSystem.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
accepted This section contains recommendations related tothe
To establish Windows Defenderconfiguration
recommended Antivirus. via GP, set the following UI path to `Disa
This Group Policy section is provided by the Group Policy template `CEIPEnable.admx/adml` that is included with all versio
accepted This Group Policy section is provided``` by the Group Policy template
Navigate to `WindowsDefender.admx/adml`
the UI Path articulated in the Remediationthat is included with
section andall
This policy setting It
turns
is important
off Windows
to ensure
Computer
Defendera current,
Antivirus.
Configuration\Policies\Administrative
updated
If theantivirus
setting isproduct
configured
is scanning
toTemplates\Windows
Disabled,
each Windows
computerDefender
Components\Win
for malicious
Antiviru
file
full **Note:** This section was originally named ``` _Windows Defender_
``` but wasNone
renamed
- thisbyisMicrosoft
the default to behavior.
_Windows Defender An
The recommended
This Organizations
state forblank
section is intentionally this setting
that
and choose
is: `Disabled`.
exists totoensure
purchaseHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the astructure
reputableof 3rd-party
Windows antivirus
benchmarks solution may choose to exempt th
is consistent.
accepted **Note:** This Group ``` Policy path is provided by the Group Policy template `WindowsD
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure of Windows benchmarks is consistent. that is included with the
accepted **Note #2:** In older Microsoft Windows Administrative Templates, this setting was ini
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Microsoft template `WindowsDefender.admx/adml`
Active Protection
recommended Service
configuration (MAPS).
via GP, that is included
set the following with
UI path to the
`Disa
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section
configuresis provided by the Group
a local override
``` for thePolicy templateto`WindowsDefender.admx/adml`
configuration join Microsoft Active Protection that is included
Service (MAPS), with the
whic
full The decision on whComputer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure theHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`WindowsDefender.admx/adml`
Windows benchmarks is It is provided by the Group
that is included
consistent. with the
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsDefender.admx/adml`
the structure that is included with the
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided
settings byReal-time
relatedTo
to the Groupthe
establish Policy template `WindowsDefender.admx/adml`
Protection.
recommended that is included
configuration via GP, set the following with
UI path to the
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
allows you by the
to configure
``` Group monitoring
behavior Policy template `WindowsDefender.admx/adml`
for Windows Defender Antivirus. that is included with the
full When running an an Computer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default configuratio
Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
to ensure the structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section
contains settings related**Note:**
is provided byWindows
to ThisDefender
the Group Group Policy
Policy template path may not exist by default. It is provided
`WindowsDefender.admx/adml`
Reporting. by the Group
that is included with the
accepted
This Group
sectionPolicy section
contains is provided
settings relatedTobyWindows
to the Groupthe
establish Policy
Defender template `WindowsDefender.admx/adml`
scanning.
recommended that is included
configuration via GP, set the following UI path to with the
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This Group Policy section
policy setting allows youis provided
to manage byestablish
```
To the Groupor
whether Policy
thenot to template `WindowsDefender.admx/adml`
scan for malicious
recommended software
configuration andset
via GP, unwanted that is included
software
the following with
in theto
UI path the
conte
`Ena
full It is important to Computer Configuration\Policies\Administrative
```
Navigate to the UI Removable Templates\Windows
drives
Path articulated in will
the be scannedComponents\Win
Remediation du
section and
The recommended
This state for
policy setting allows youthis setting
``` is: e-mail
to configure `Enabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
scanning. When e-mail scanning is enabled, the engine will parse the mai
full ```
Incoming e-mails sComputer Configuration\Policies\Administrative
``` E-mail scanning
Templates\Windows
by Windows DefenderComponents\Win
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This
is: `Enabled`.
exists Group
ensure Policy path
of may not exist by default.
is It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure Windows benchmarks consistent.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`WindowsDefender.admx/adml`
Windows benchmarks is It is provided by the Group
that is included
consistent. with the
accepted
This Group Policy section is provided by the Group Policy template `WindowsDefender.admx/adml` that is included with the
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `WindowsDefender.admx/adml`
of Windows benchmarks is consistent.
that is included with the
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `AppHVSI.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with the Microso
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `ExploitGuard.admx/adml`
of Windows benchmarks isthat
consistent.
is included with the Micr
accepted
This section
Group Policy
contains
section
Windows
is provided
Defenderby theSmartScreen
Group Policy settings.
template `WindowsDefenderSecurityCenter.admx/adml` that is in
accepted To establish the recommended configuration via GP, set the following UI path to `Ena
Group Policy
This section section
contains is provided by for
recommendations theExplorer-related
Group Policy template Windows `SmartScreen.admx/adml`
Defender SmartScreen settings. that is included with the Mic
Navigate to the UI Path articulated in the Remediation section and
accepted ```
The Group
This Policy settings
policy setting allows youcontained
to managewithinthethis
Computer section
behavior ofare provided by the GroupWindows
Configuration\Policies\Administrative
Windows SmartScreen. Policy template
Templates\Windows
SmartScreen `WindowsExplorer.admx
helps
Components\Win
keep PCs s
```
full Windows SmartScre ``` Users will be warned before they ar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
The recommended
This section contains state for this setting
recommendations To is: `Enabled:
related
establish tothe Warn
Windows and prevent
Error
recommended bypass`. via GP, set the following UI path to `Disa
Reporting.
configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
accepted **Note:** This Group Policy path
Navigate to themay not exist
UI Path by default.
articulated in theIt Remediation
is provided bysection
the Groupand
```
Group setting
This policy Policy section
controlsiswhether
provided by the Group
memory
``` dumps Policy template
in support `ErrorReporting.admx/adml`
of OS-generated error reports canthat is included
be sent with allautom
to Microsoft ver
full Memory dumps may **Note #2:**
Computer In older```Microsoft Windows
Configuration\Policies\Administrative Administrative
All memory dumpsTemplates,
Templates\Windows
are uploaded this setting was ini
Components\Win
accord
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
structure of Windows benchmarks is consistent.
accepted ```
Group Policy
This section section
contains is providedTo
recommendations **Note:**
byestablish
the Group
related This
totheGroup
Policy
Windows template
Policy
Errorpath
recommended `ErrorReporting.admx/adml`
may not
Reporting existvia
consent.
configuration byGP,
default.
set the Itthat
isfollowing
provided
is included
UIbypath
the
withto
Group
all ver
`Ena
accepted Navigate to the UI Path articulated in the Remediation section and
Group Policy
This setting allowssection is provided
you to set the defaultby consent
``` the Group Policy template
handling `ErrorReporting.admx/adml` that is included with all ver
for error reports.
full Error reports may Computer Configuration\Policies\Administrative
``` None - thisTemplates\Windows
is the default behavior. Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled:
exists to ensureAlwaysHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the ask before
structure sendingbenchmarks
of Windows data` is consistent.
accepted This section is intentionally blank and exists to ensure the ``` structure of Windows benchmarks is consistent.
This Group Policy section is provided**Note:**
by the GroupThis Group Policy path
Policy template is provided by the Group
`GameDVR.admx/adml` thatPolicy template
is included with`ErrorRepo
the Micros
accepted This Group Policy section is provided by the Group Policy template `Passport.admx/adml` that is included with the Microso
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
**Note:** This section was initially named _Microsoft
To establish thePassport
recommended for Work_ but was renamed
configuration via GP, set by Microsoft
the following to _Windows
UI path to Hello
`Disa
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `WindowsInkWorkspace.admx/adml` that is included w
Installer.
accepted ``` Navigate to the UI Path articulated in the Remediation section and
Group Policy
This setting controlssection is provided
whether users
or not arebypermitted
Windows
To the Group
Computer
establish Policy
Installer
the template
recommended
should `MSI.admx/adml`
Configuration\Policies\Administrative
to change installation
use system options
configurationthatvia
permissions that
GP,
whenisset
typically included
Templates\Windows
itare
the available
installs with
any all
following UIversions
only
Components\Win
to system
program
path on of
thethe
to `Disaas
full In an enterprise m ``` ```
Navigate to the UI None - this is theindefault
Path articulated behavior. section and
the Remediation
The recommended
**Note:** This settingstate for this
appears setting
both in```
theis:Computer
`Disabled`. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration and User Configuration folders. To make this setting effe
full **Note:** This
Users with limited Computer Group```
```Policy path is provided
Configuration\Policies\Administrative by the
None - this Group
Templates\Windows
is the default Policy template
behavior. `MSI.admx
Components\Win
**Caution:**
This section If enabled,
contains skilled users can
recommendations ``` establish
To take advantage
related tothe
WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
of the permissions
Logon
recommended
Navigate to Options.
the thisarticulated
configuration
UI Path setting
via GP,grants
set
in the to Remediation
the change
following their privileges
UI path
section an
to `Disa
and
accepted **Note #2:** In older ``` Microsoft Windows Administrative Templates, this setting was na
The recommended
This Group setting
policy state for
Policy section
controls this setting
iswhether
provided **Note:**
byis:
a```
device `Disabled`.
the This
Group
will Group
Policy
automatically
ThisPolicy
template
grouppath
sign-in is provided
policy
the setting isby
`WinLogon.admx/adml` the Group
last interactive
backed user
bythat Policy
isfollowing
after
the template
included
Windows with `MSI.admx
all versions
registry
Update location
restar
full Disabling this fea Computer Configuration\Policies\Administrative The deviceTemplates\Windows
does no Components\Win
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the ```structure of Windows benchmarks is consistent.
accepted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensure Group``` structure
Policy
the Policy path
template of may not exist by default.
`WindowsMail.admx/adml`
Windows benchmarks It
is that is is
provided
consistent. by the with
only included Groupthe
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MediaCenter.admx/adml`
the structure of Windows benchmarks isthat is only included with the
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMediaDRM.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMediaPlayer.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsCollaboration.admx/adml`
the structure that is only include
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMessenger.admx/adml`
the structure that is included with a
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MobilePCMobilityCenter.admx/adml`
the structure of Windows benchmarks is consistent.that is included w
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Windows template `MovieMaker.admx/adml`
configuration via GP, set that
PowerShell.
recommended is only included
the following UI pathwith the
to `Disa
accepted This policy setting enables logging of all PowerShell script Navigate
input totothe
theMicrosoft-Windows-PowerShell/Operational
UI Path articulated in the Remediation section event
andlo
This Group Policy section is providedTo byestablish
``` the GroupthePolicy template `PowerShellExecutionPolicy.admx/adml`
recommended configuration via GP, set the following UIthat is to
path include
`Disa
full The recommendedThere state are
for this
potentia
setting
Computer
is: `Disabled`.
Configuration\Policies\Administrative
```
Navigate to the UI Logging of Templates\Windows
PowerShell
Path articulated script input
in the Remediation Components\Win
issection and
This Policy setting lets you capture the ```input and output HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
of Windows PowerShell commands into text-based transcripts.
full **Note:** In Microsoft's
If thisown hardening
setting is guidance,
Computer they recommend the opposite
None value,
Configuration\Policies\Administrative
``` is`Enabled`,
the defaultbecause
- thisTemplates\Windows behavior.having this data
Components\Win
The recommended
This state forblank
section is intentionally **Note:**
this setting
and``` to This Group
is: `Disabled`.
exists ensure Policy path of may not exist by default.is It is provided by the Group
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the structure Windows benchmarks consistent.
accepted ```
Group Policy
This section section
contains is provided**Note:**
recommendations by related This
the Group Group Policy
Policy template
to Windows Remotepath may not exist(WinRM).
by default.that
`RacWmiProv.admx/adml`
Management It is is
provided
includedbywith
the the
Group
Mic
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Windows `WindowsRemoteManagement.admx/adml`
Remote Management (WinRM) client. that is inclu
accepted
This Group Policy section is provided by the Group Policy template `WindowsRemoteManagement.admx/adml` that is inclu
To establish the recommended configuration via GP, set the following UI path to `Disa
Navigate to the UI Path articulated in the Remediation section and
This policy setting allows you to manage ``` establish
To whether the Windows
recommended Remote Management
configuration via (WinRM)
GP, set the client uses Basic
following UI path authentica
to `Disa
full Basic authenticati Computer Configuration\Policies\Administrative
Navigate
``` to the UI None
Path articulated
- thisTemplates\Windows
is theindefault
the Remediation
behavior.
Components\Win
section and
The recommended
This policy setting allows
state for
youthis
to manage
setting
``` is:
To whether
`Disabled`.
establish the Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
recommended Remote Management
configuration via (WinRM)
GP, set the client sendsUI
following and receives
path to `Enau
full Encrypting WinRMComputer
n ```
Configuration\Policies\Administrative
Navigate
``` to the UI None
Path articulated
- thisTemplates\Windows
is theindefault
the Remediation
behavior.
Components\Win
section and
The recommended
This policy setting allows
state for
youthis **Note:**
to manage
setting
``` Thisthe
is:whether
`Disabled`.Group
WindowsPolicyRemote
path is Management
provided by the Group client
Policywill
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
(WinRM) template
not use`WindowsR
Digest au
full Digest authenticat Computer Configuration\Policies\Administrative
```
``` The WinRMTemplates\Windows
client will not use Digest
Components\Win
The recommended
This section contains state
recommendations **Note:**
for this setting
```
To is:
related This
`Enabled`.
establishtotheGroup
the PolicyRemote
Windows pathconfiguration
is provided by
viathe Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
recommended Management (WinRM)
GP, set theservice.template
following UI path`WindowsR
to `Disa
accepted ```
Navigate to the UI Path articulated in the Remediation section and
This policy
Group setting
Policy section
allows you
is provided **Note:**
to manage
```
byestablish
To the
whetherThisthe
Group Group
Policy
WindowsPolicyRemote
template
recommended path is Management
provided by viathe Group
`WindowsRemoteManagement.admx/adml`
configuration (WinRM)
GP, Policy
service
set the template
accepts
following UI path`WindowsR
Basic
thattois`Disa
authe
inclu
full Basic authenticati Computer Configuration\Policies\Administrative
```
Navigate to the UI None - thisTemplates\Windows
is theindefault
Path articulated behavior.
the Remediation Components\Win
section and
The recommended
This state for
policy setting allows youthis setting
``` is:
to manage
To `Disabled`.
whether
establish HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
the Windows
recommended Remote Management
configuration via (WinRM)
GP, set the service sends
following UI and
pathreceives
to `Ena
full This policy setting Encrypting
allows you to WinRM Computer
managen whether Configuration\Policies\Administrative
```
```
the Windows
Navigate Remote
to the UI None
Management- thisTemplates\Windows
is
Path articulated theindefault
(WinRM) behavior.
theservice willComponents\Win
Remediation allowsection
RunAs andcre
The recommended state for this setting **Note:**
``` is: `Disabled`.
This Group HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided
The WinRM by the Groupwill
service Policy template
not allow the `WindowsR
RunAsUse
full The recommendedAlthough
state for the
thisabili
setting
Computer
is: `Enabled`.
Configuration\Policies\Administrative
```
``` Templates\Windows Components\Win
This section contains settings related``` **Note:**
to Windows ThisRemote
GroupHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Policy path is provided
Shell (WinRS). If this setting
by theisGroup
later Disabled
Policy template
again, any`WindowsR
values
accepted **Note:** If you enable and then disable this policy setting, ``` any values that were previously configured for RunAsPassword
Group Policy
This section section isblank
is intentionally provided
and**Note:**
by the to
exists Group
This
ensureGroup
Policy template
Policy path
the structure `WindowsRemoteShell.admx/adml`
of may
Windowsnot exist by default.
benchmarks is It is provided
consistent.that isbyincluded
the Group with
This policy setting specifies whether computers in your environment will receive security updates from Windows Update or
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `SideShow.admx/adml`
the structure of Windows benchmarksthat is only included with the M
is consistent.
After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Upda
accepted
Group Policy
This section containssection is providedTo
recommendations byestablish
the Group
related Policy
tothe
Windows template
Update.`SystemResourceManager.admx/adml`
recommended configuration via GP, set the following UI that is only
path incl
to `Ena
- 2 - Notify for download and auto install _(Notify before downloading any updates)_
accepted Navigate to the UI Path articulated in the Remediation section and
- 3 - Auto download and notify for install _(Download the updates automatically and notify when they are ready to be install
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `WindowsUpdate.admx/adml`
recommended configuration via GP, set the followingthat is included
UI pathwith
to `0all-vE
- 4 - Auto download and schedule the install _(Automatically download updates and install them on the schedule specified
full This policy setting Although each vers
specifies when Computer
computers
To in Configuration\Policies\Administrative
establish your ```
theenvironment
Navigate
recommended to
will
the UI Critical
receive
Path operating
viaTemplates\Windows
security
configuration articulated insystem
updates
GP, setthefrom
the updates
Remediation
Windows
following Components\Win
and
UI Update
section
path to or
and
`DisaW
- 5 - Allow local admin to choose setting _(Leave decision on above choices up to the local Administrators (Not Recommen
``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
full The recommended
This policy setting Although
state for that
specifies each
this Automatic
setting
vers```
Computer
is: `0 - Every
Updates will ```
Configuration\Policies\Administrative
day`.``` for computers
Navigate
wait to the UI IfPath
to`4be
- articulated
Auto Templates\Windows
download
restarted by theand
in the schedule
Remediation
users who Components\Win
th
aresection
loggedand on
The recommended state for this setting is: `Enabled`.
**Note:** This
```
Computer Group Policy path is provided by the Group Policy template
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
Configuration\Policies\Administrative Templates\Windows `WindowsU
Components\Win
full **Note:**
The
This This
section is setting
recommended is only
Some
state applicable
security
forblank
intentionally this setting
upda
and``` ifis:`4`Disabled`.
exists -toAuto download
ensure the``` and schedule
```structure the install`
None
of Windows is the
- this is
benchmarks selected
defaultinbehavior.
Rule 18.9.101.2. It will
is consistent.
**Note:** The sub-setting "_Configure automatic updating:_" has 4 possible values – all of them are valid depending on spe
**Note:** This Group Policy path is provided by the Group Policy template `WindowsU
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window
**Note:**
This GroupThis setting
Policy applies
section only when
is provided **Note:**
by you configure
the GroupThis Group
Automatic
Policy``` template
Policy path
Updatesis provided
to performby the
scheduled
`WindowsUpdate.admx/adml` Group Policy
update
that template
isinstallations.
included`WindowsU
withIf the
youM
**Note #2:** Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting,
accepted **Note:** Thiscontains
This section section user-based **Note
named #2:** Windows
was initiallyrecommendations
_Defer In older Microsoft
Updates_
from Group Windows
but
Policy was Administrative Templates,
renamedTemplates
Administrative by Microsoft this setting
to _Windows
(ADMX). was inif
Update
This section contains recommendations for Control Panel settings.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AddRemovePrograms.admx/adml`
the structure of Windows benchmarks is consistent. that is included with
accepted This section contains recommendations for personalization settings.
This Group Policy section is providedTo byestablish
the Groupthe Policy template `ControlPanelDisplay.admx/adml`
recommended configuration via GP, set the following that isUIincluded
path to with
`Ena
accepted This Group Policy section is provided by the Group Policy template
Navigate to `ControlPanelDisplay.admx/adml`
the UI Path articulated in the Remediation that is included
section with
and
This policy setting enables/disables the ``` use
To of desktop
establish screen savers.
the recommended configuration via GP, set the following UI path to `Ena
full **Note:**
This policyThis section
setting If a was
user initially
specifies forgets named
t User
the screen _Desktop
saver for the Themes_ buttowas
therenamed
Configuration\Policies\Administrative
``` desktop.
user's
Navigate UI A by Microsoft
screen
Path in to
Templates\Control
saver runs,
articulated _Personalization_
theprovided starting
Panel\Personalization\E
that thsection
Remediation and w
The recommended state for this setting ``` is:
To `Enabled`.
establish HKEY_USERS\[USER
the recommended SID]\SOFTWARE\Policies\Microsoft\Window
configuration via GP, set the following UI path to `Ena
full The recommended
This setting specifies Ifstate
ahow
user
forforgets
this user
much setting
t Useris:time
idle ```
Configuration\Policies\Administrative
`Enabled: scrnsave.scr`.
``` beforetothe
Navigate
must elapse UI The
thescreenPath system
Templates\Control
displays
articulated
saver in thethe
is launched. Panel\Personalization\F
specified scsection and
Remediation
This setting determines whether screen **Note:**
```
To savers This
establishused Group
the on thePolicy pathconfiguration
HKEY_USERS\[USER
computer
recommended maypassword
are not exist by default.
protected.
via GP, It isfollowing
set the providedUIbypath
SID]\SOFTWARE\Policies\Microsoft\Window the to
Group
`Ena
full **Note:**
The If the specified
recommended Ifstate screen
a user this saver
forforgets isis:
t User
setting not installed 900
onNavigate
```
aseconds
computer to which
Configuration\Policies\Administrative
`Enabled: ``` toorthe UI All
fewer, this setting
screen
Path
but applies,
Templates\Control
savers
articulated
not 0`. inare the
thepassword setting is section
ignored.and
Panel\Personalization\P
Remediation prote
The recommended state for this setting **Note:**
``` This Group
is: `Enabled`. Policy path may not exist
HKEY_USERS\[USER by default. It is provided by the Group
SID]\SOFTWARE\Policies\Microsoft\Window
full **Note:** This setting If a has
usernoforgets
effect tunder
Userthe ```
Configuration\Policies\Administrative
following circumstances:
``` The screen
Templates\Control
saver will automatically
Panel\Personalization\S
a
This section is intentionally blank and``` **Note:**
exists to This Group
ensure Policy path
of is
HKEY_USERS\[USER
the structure provided
Windows by the Group Policy template `ControlPa
SID]\SOFTWARE\Policies\Microsoft\Window
benchmarks is consistent.
accepted - The wait time is set to zero. ```
- Thesection
This "Enable
Group isScreen
Policy Saver"
section
intentionally setting
isblank andis
provided **Note:**
bydisabled.
the to
exists This
Group Group
Policy
ensure Policy path
template
the structure of may not exist
`Windows.admx/adml`
Windows by default.
benchmarks that It
is is is provided
included
consistent. withbyall
theversions
Group
accepted - A valid screen existing saver is not selected manually or via the "Screen saver executable name" setting
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure of Windows benchmarks that
is is included with all versions
consistent.
accepted
Group Policy
This section section
contains is provided by for
recommendations theStart
Group Policy
Menu andtemplate
Taskbar`SharedFolders.admx/adml`
settings. that is included with all ver
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
theNotification
for Groupthe
Policy template `Windows.admx/adml`
settings.
recommended thatthe
configuration via GP, set is included
followingwith all versions
UI path to `Ena
accepted Navigate to the UI Path articulated in the Remediation section and
This Group Policy section
policy setting turns offistoast
provided by the Group
notifications
``` on thePolicy template `WPN.admx/adml` that is included with the Microsoft W
lock screen.
full While this feature User Configuration\Policies\Administrative
``` Applications
Templates\Start
will not beMenu
able to
andraise
Taskbar\Notific
The
This recommended
section containsstate for this setting
recommendations ``` isfor`Enabled`. HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\Window
System settings.
accepted ```
Group Policy
This section section isblank
is intentionally and**Note:**
provided by
existsthe to This
Group Group
Policy
ensure Policy path
template
the structure of may not exist by default.
`Windows.admx/adml`
Windows benchmarks that It
is is is provided
included
consistent. byall
with theversions
Group
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CtrlAltDel.admx/adml`
the structure of Windows benchmarks that is included with all versions
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DeviceInstallation.admx/adml`
the structure that is included with all
of Windows benchmarks is consistent.
accepted
This Group Policy section is provided by the Group Policy template `FolderRedirection.admx/adml` that is included with all
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted
This section
Group Policy
contains
section
recommendations
is provided by related
the Group
to Internet
Policy template
Communication
`GroupPolicy.admx/adml`
Management. that is included with all versio
accepted
This section
Group Policy
contains
section
recommendations
is provided by related
the Group
to Internet
Policy template
Communication
`Windows.admx/adml`
settings. that is included with all versions
accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theWindows
Group Policy
Component
templatesettings.
`Windows.admx/adml` that is included with all versions
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
accepted This Group Policy section is provided by the Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `AppXRuntime.admx/adml`
the structure that is included with the Mic
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Attachmenttemplate
recommended `AppCompat.admx/adml`
Manager.configuration via GP, setthat the is included
following UIwith
pathalltoversio
`Disa
accepted This policy setting allows you to manage whether Windows Navigate
markstofile
theattachments
UI Path articulated
with information
in the Remediation
about their section
zone ofand orig
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `AttachmentManager.admx/adml`
recommended configuration via GP, set the following that isUIincluded
path to with
`Enaa
full The recommended
This policy setting Astate
file that
manages for this
is dow
the setting
User
behavior is:for
Configuration\Policies\Administrative
`Disabled`. ```
notifying registered
Navigate antivirus None Templates\Windows
- thisIfismultiple
to the UIprograms.
Path articulated theindefault
the behavior.
programsComponents\Attachm
Remediation
are registered,
section and the
``` HKEY_USERS\[USER SID]\SOFTWARE\Microsoft\Windows\Curre
full **Note:** The Attachment
The recommended Antivirus
state forManager
programs feature
this setting
User warns users``` when opening or executing
is: Configuration\Policies\Administrative
`Enabled`. ``` Windows files the
which
Templates\Windows
tells are marked
registered as being from a
Components\Attachm
antiviru
This section is intentionally blank and``` **Note:**
exists to This
ensureGroup
HKEY_USERS\[USER
the Policy path
structure of is provided
Windows SID]\SOFTWARE\Microsoft\Windows\Curre
by the Group
benchmarks Policy template `Attachmen
is consistent.
accepted **Note:** An updated antivirus program must be installed ```for this policy setting to function properly.
Group Policy
This section section isblank
is intentionally provided
and**Note:**
by the to
exists Group
This
ensureGroup
Policy template
Policy path
the structure `AutoPlay.admx/adml`
of is providedbenchmarks
Windows by the Groupthatis is
Policy
included
template
consistent. with all
`Attachmen
versions
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserDataBackup.admx/adml`
the structure that is included only with
of Windows benchmarks is consistent.
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CloudContent.admx/adml`
the structure that is included with the Mic
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CredUI.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DataCollection.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sidebar.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsoft
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DWM.admx/adml`
the structure that isisincluded
of Windows benchmarks with all versions of t
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `DigitalLocker.admx/adml`
the structure of Windows benchmarks isthat is included with all versi
consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `EdgeUI.admx/adml` that is included with the Microsoft
accepted This Group Policy section is provided by the Group Policy template `Windows.admx/adml` that is included with all versions
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting wi
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `FileRevocation.admx/adml`
the structure that is included with the M
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `EAIME.admx/adml`
the structure that is included
of Windows benchmarks with the Microsoft
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `CaptureWizard.admx/adml`
the structure that is only included with t
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WordWheel.admx/adml`
the structure that
of Windows benchmarks is is included with all versio
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `InetRes.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Sensors.admx/adml`
the structure thatisisconsistent.
of Windows benchmarks included with the Microsof
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MicrosoftEdge.admx/adml`
the structure that is included with the Mi
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `MMC.admx/adml`
the structure that is is
of Windows benchmarks included with all versions of t
consistent.
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `UserExperienceVirtualization.admx/adml`
the structure of Windows benchmarks is consistent. that is includ
accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Conf.admx/adml`
the structure that is included
of Windows benchmarks with all versions of th
is consistent.
accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Network template
Sharing.`NetworkProjection.admx/adml`
recommended that is only
configuration via GP, set the following included
UI path to `Ena wi
accepted Navigate to the UI Path articulated in the Remediation section and
Group setting
This policy Policy section is provided
determines whether by
``` the Group
users Policy
can share template
files `Sharing.admx/adml`
within their profile. By default,that is included
users with to
are allowed allshare
versions
fileso
full If not properly co User Configuration\Policies\Administrative
``` UsersTemplates\Windows
cannot share files within
Components\Network
their
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists HKEY_USERS\[USER
to ensure the structure of WindowsSID]\SOFTWARE\Microsoft\Windows\Curre
benchmarks is consistent.
accepted ```
This Group Policy section is provided**Note:**
by the GroupThis Group Policy path
Policy template is provided by the Group Policy template `Sharing.ad
`MobilePCPresentationSettings.admx/adml` that is inclu
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted This Group Policy section is provided by the Group Policy template `TerminalServer.admx/adml` that is included with all ve
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
accepted **Note:** This section was initially named _Terminal Services_ but was renamed by Microsoft to _Remote Desktop Service
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `InetRes.admx/adml`
of Windows benchmarks
thatisisconsistent.
included with all versions o
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `Search.admx/adml`
of Windows benchmarks
that is included
consistent.
with the Microsoft
accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the structure
template `SoundRec.admx/adml`
of Windows benchmarksthat
is consistent.
is included with all version
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinStoreUI.admx/adml`
the structure of Windows benchmarks that is included with the Micro
is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `Windows.admx/adml`
the structure that
of Windows benchmarks is is included with all versions
consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `TaskScheduler.admx/adml`
the structure that is included with all ver
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WinCal.admx/adml`
the structure that is consistent.
of Windows benchmarks included with all versions o
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsColorSystem.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy template `SmartScreen.admx/adml`
the structure of Windows benchmarks isthat is included with the Mic
consistent.
accepted This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This Group Policy section is provided by the Group Policy template `ErrorReporting.admx/adml` that is included with all ver
accepted This Group Policy section is provided by the Group Policy template `Passport.admx/adml` that is included with the Microso
section controls
This setting containswhether
recommendations
or not Windowsrelated
To establish tothe
Windows
Installer shouldInstaller.
recommended
use system
configuration
permissionsvia GP,
when setit the
installs
following
any program
UI path onto `Disa
the s
accepted **Note:** This section was initially named _Microsoft Passport Navigate forto
Work_
the UIbut was
Path renamed in
articulated bytheMicrosoft to _Windows
Remediation sectionHello
and
This Group
**Note:** Policy
This section
setting is provided
appears by
thethe
both in``` Group Policy
Computer templateand
Configuration `MSI.admx/adml`
User Configurationthat isfolders.
included To with
makeallthis
versions
settingofeffe
the
full Users with limited User Configuration\Policies\Administrative
``` None Templates\Windows
- this is the default behavior.
Components\Window
**Caution:**
This section If
is enabled, skilled
intentionally users
blank andcan
``` taketoadvantage
exists ensure the HKEY_USERS\[USER
ofstructure
the permissions
of WindowsthisSID]\SOFTWARE\Policies\Microsoft\Window
setting grantsisto
benchmarks change their privileges an
consistent.
accepted ```
The recommended
This Group Policy
section state for
section
is intentionally this
isblank setting
and**Note:**
provided by is: `Disabled`.
the
exists This
Group
to ensureGroup
Policy Policy path
template
the structure of is providedbenchmarks
by the Group
`WinLogon.admx/adml`
Windows that Policy template
is included
is consistent. with `MSI.admx
all versions
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMail.admx/adml`
the structure of Windows benchmarks is that is only included with the
consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `MediaCenter.admx/adml` that is only included with the
Media Player.
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure template `WindowsMediaPlayer.admx/adml`
the structure that is included with
of Windows benchmarks is consistent.
accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `WindowsMediaPlayer.admx/adml`
Media Player playback. that is included with
accepted
This Group Policy section is provided by the Group Policy template `WindowsMediaPlayer.admx/adml` that is included with
notes CIS controls CCE-ID references
urthe
organization
use of ALTuses
key character
either the combinations
TITLE:Ensure
can
Work
greatly
CCE-36286-3
enhance the complexity of a password. However, such stringent password requirements can result
sugh it may
policy seem
setting like a good
is enabled, idea
TITLE:Configure
a locked-out ACCE-37034-6
account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setti
benchmarks is consistent.
uost casesthis
revoke there willright,
user be nonoimpactTITLE:Minimize AnCCE-35823-4
one will be able to debug programs. However, typical circumstances rarely require this capability on production computers. If a p
us configure
that are used to manage
the **Deny processes
access will be unable
toTITLE:Account to affect processes that are not owned by the person who runs the tools. For example, the Windows Se
MoCCE-37954-5
u assign the **Deny log on as a batch job** user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to
TITLE:Account MoCCE-36923-1
xample, if you assign this user right to the `IWAM_`_(ComputerName)_ account, the MSM Management Point will fail. On a newly installed computer that r
u assign the **Deny log on as a TITLE:Account MoCCE-36877-9
tenance issues can arise under certain circumstances if you disable the Administrator account. For example, if the secure channel between a member com
TITLE:Minimize AnCCE-37953-7
current Administrator password does not meet the password requirements, you will not be able to re-enable the Administrator account after it is disabled. I
s will not be able to log onto th TITLE:Account MoCCE-36147-7
benchmarks is consistent.
e - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system sup
ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled.
ons from clients running versions TITLE:Data
of WindowsProte
earlier
CCE-36142-8
than Windows NT 4.0 with SP6a will be disabled.
ability to authenticate other domains' users from a Domain Controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted do
e - this is the default behavior. TITLE:Data Prote CCE-37130-2
can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and Domain Controllers f
e - this is the default behavior. TITLE:Data Prote CCE-37222-7
rcing
- thisthis
eWindows setting
2000
is the on computers
Server,
default Windowsused
behavior. 2000 byProfessional,
people who must log onto
Windows multiple
Server 2003,computers
Windows XP in order to perform
Professional andtheir duties Vista
Windows couldimplementations
be frustrating andoflower product
the SMB file
TITLE:Data Prote CCE-36325-9
ementation
Windows 2000 of SMB signing
Server, may negatively
Windows affect performance,
2000 Professional, because
Windows Server each
2003, packet needs
Windows to be signed
XP Professional and
and verified.Vista
Windows If these settings are enabled
implementations on afile
of the SMB ser
TITLE:Data Prote CCE-36269-9
n -SMB
ementation
e this issigning policies
theofdefault
SMB are may
signing enabled
behavior. on Domain
negatively affectControllers running
performance, Windows
because eachServer
packet2003
needs and member
to be signedcomputers running
and verified. Windows
If these settingsVista SP1 or Windows
are enabled on a ser
TITLE:Data Prote CCE-37863-8
n very
e SMBold signing policies and
applications are enabled
operatingonsystems
Domainsuch
Controllers running
as MS-DOS, Windows
Windows forServer 2003 and
Workgroups member
3.11, computers
and Windows 95arunning
may notWindows
be able toVista SP1 or Windows
communicate with th
Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing.
e will be little impact because SMTITLE:Secure ConfCCE-38046-9
Windows network
Microsoft 2000 Server,
serverWindows 2000 Professional,
will negotiate Windows
SMB packet signing as Server 2003,
requested by Windows
the client.XP Professional
That is, if packetand Windows
signing Vistaenabled
has been implementations of the
on the client, SMB sign
packet file
TITLE:Data Prote CCE-37864-6
ementation
Windows 2000 of SMB signing
Server, may negatively
Windows affect performance,
2000 Professional, because
Windows Server each
2003, packet needs
Windows to be signed
XP Professional and
and verified.Vista
Windows If these settings are enabled
implementations on afile
of the SMB ser
TITLE:Data Prote CCE-35988-5
n SMB signing
ementation policies
of SMB are may
signing enabled on Domain
negatively affectControllers running
performance, Windows
because eachServer
packet2003
needsand member
to be signedcomputers running
and verified. Windows
If these settingsVista SP1 or Windows
are enabled on a ser
eindows
- this isoperating
the default behavior.
systems I TITLE:Account
support MoCCE-37972-7
both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, an
n SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows
nfigured to `Accept if provided byTITLE:Controlled
client`, the SMB server
CCE-36170-9
will accept and validate the SPN provided by the SMB client and allow a session to be established
nfigured to `Required from client`, the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server tha
esession
- this isaccess over behavior.
the default null sessio TITLE:Implement
If you NCCE-38258-0
choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipe
e - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Mic
MNAP: SNA session access TITLE:Controlled CCE-37194-8
e:**
eMNODE: If you
- this want
is the
SNA to allow
default remote
behavior.
session access access, ifyou
However, youmust alsothe
remove enable theregistry
default Remotepaths
Registry
fromservice.
the list of accessible ones, remote management tools such as the Mic
L\\QUERY: SQL instance accessTITLE:Controlled CCE-36347-3
e:** If you
OOLSS: want to
Spooler allow remote access, you must also enable the Remote Registry service.
service
SRPC: License Logging service TITLE:Controlled CCE-36021-4
TLOGON: Net Logon service
ARPC:
e - this isLSAtheaccess
default behavior. TITLE:Controlled CCE-38095-6
MR: Remote access to SAM objects
eOWSER: Computer
- this is the default Browser service
configurat TITLE:Controlled CCE-37623-6
ous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increas
ces running as Local System thaTITLE:Account MoCCE-38341-4
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
benchmarks is consistent.
nt audit policy.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
gs.
nelDisplay.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
u enable this setting, users will no longer be abl CCE-38347-1
dmx/adml`
mpact. Whenthat is included
installed with LAPS.
and registered properly, `AdmPwd.dll` takes no action unless given appropriate GPO commands during Group Policy refresh. It is no
TITLE:Configure Account Access Centrally CONTROL:16.9 DESCRIPTION:Configure access for all accounts through a ce
disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using
ned password expiration longer TITLE:All Accounts Have A Monitored Expiration Date CONTROL:16.2 DESCRIPTION:Ensure that all accounts have an e
ocal administrator password is managed (provided that the LAPS AdmPwd GPO Extension / CSE is installed on the target computer (see Rule 18.2.1), the
TITLE:Configure Account Access Centrally CONTROL:16.9 DESCRIPTION:Configure access for all accounts through a ce
disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using
S-generated passwords will be req TITLE:User Accounts Shall Use Long Passwords CONTROL:5.7 DESCRIPTION:Where multi-factor authentication is not s
S-generated passwords will be reTITLE:Ensure Workstation Screen Locks Are Configured CONTROL:16.5 DESCRIPTION:Configure screen locks on syste
ecurity Guide.
you enable SEHOP, existing verTITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
y.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/sec
e - this is the default behavior. TITLE:Account MoCCE-37067-6
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
erCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
IOS name resolution queries willTITLE:Limitation and Control of Network Ports, Protocols, and Services CONTROL:9 DESCRIPTION:Limitation and Contro
cy.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
h.admx/adml` that
benchmarks is is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
rver.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
orkstation.admx/adml`
ings. that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
TopologyDiscovery.admx/adml`
Services settings. that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
onnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot create or configure a NTITLE:Minimize AnCCE-38002-2
rewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
olation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
s.admx/adml`
benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
eOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
onnectNow.admx/adml`
ngs. that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
e - this is the default behavior. TITLE:Boundary CCE-38338-0
benchmarks is consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
dmx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
gs.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default behavior. TITLE:Encrypt/Hash
CCE-36925-6
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
host will support the _Restric TITLE:Account Monitoring and Control CONTROL:16 DESCRIPTION:Account Monitoring and Control;
benchmarks is consistent.
ard.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
allation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
irection.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
che.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
.admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
mx/adml` that is
benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
allation.admx/adml`
ation settings. that is included with all versions of the Microsoft Windows Administrative Templates.
chAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
e - this is the default behavior. TITLE:Malware D CCE-37912-3
benchmarks is consistent.
Storage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
VSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks is consistent.
benchmarks is consistent.
rVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
rection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
tings.
cy.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
p Policies will be reapplied eve TITLE:Deploy SystCCE-36169-1
cyPreferences.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
nagement.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ngs.
dmx/adml`
drivers thatbe
cannot is included
downloadedwithover
all versions
HTTP. of the Microsoft Windows Administrative Templates.
TITLE:Inventory CCE-36625-2
e:** This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading
ows is prevented from downloadin TITLE:Email and CCE-36096-6
client computer will not be able to print to Internet printers over HTTP.
TITLE:Assess DataCCE-36920-7
e:** This policy
benchmarks is setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing serve
consistent.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
on.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
creen.
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
PC's network connectivity state TITLE:Controlled CCE-38353-9
cy.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
dmx/adml` that
benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
admx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
CPL.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
benchmarks is consistent.
dmx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
mx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
mode.
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Ensure Work CCE-36881-1
dmx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
sistance.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Limit Open CCE-36388-7
/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
clients will authenticate to the TITLE:Limit Open CCE-37346-4
benchmarks is consistent.
eStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
mx/adml` that is
benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
mx/adml` that is
benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
alth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
benchmarks is consistent.
store.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
stics.
dmx/adml`
benchmarksthat
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
adml`
benchmarks
that is included
is consistent.
with all versions of the Microsoft Windows Administrative Templates.
ery.admx/adml`
benchmarks isthat
consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
ostic.admx/adml`
benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml`
ostic that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Tool.
covery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
admx/adml`
benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
dmx/adml`
benchmarksthat
is is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
consistent.
ceDiagnostics.admx/adml`
benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
ostic.admx/adml`
rack. that is included with all versions of the Microsoft Windows Administrative Templates.
cePerftrack.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
es.admx/adml`
benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
leProtection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
dmx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
y.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
me.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ows Store apps that typically requ
TITLE:Configure AcCCE-38354-7
benchmarks is consistent.
at.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Play will not be allowed for MTP TITLE:Limit Use OCCE-37636-8
ackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Administrative Templates (except for the
benchmarks is consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
cryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
dmx/adml`
benchmarks
thatisisconsistent.
included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ent.admx/adml`
benchmarks is consistent.
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
splay.admx/adml`
. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
password reveal button will not TITLE:Account MoCCE-37534-5
dmx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
ptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
mx/adml`
ws that is to
an enterprise included with the
apply exploit Microsoft to
mitigations Windows 8.1 &that
applications Server
run 2012 R2 Administrative
on Windows. Templates
Many of these (or newer).
mitigations were later coded directly into Windows 10 and S
Windows server OSes prior to Server 2016, it is highly recommended that compatibility testing is done on typical server configurations (including all CIS-reco
nel\Program\Programs and Featu TITLE:Enable Anti-exploitation Features (i.e. DEP, ASLR, EMET) CONTROL:8.4 DESCRIPTION:Enable anti-exploitation f
we only recommend using it with 64-bit OSes.
advanced mitigations available inTITLE:Enable AntiCCE-38427-1
July 31, 2018. This does not mean the software will stop working, only that Microsoft will not update it any further past that date, nor troubleshoot new prob
T mitigations will be applied to I TITLE:Enable AntiCCE-38428-9
arding.admx/adml` that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
admx/adml`
og. that is included with all versions of the Microsoft Windows Administrative Templates.
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-37775-4
information unless the retention method for each is set so that the computer will overwrite the oldest ent
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-37145-0
information unless the retention method for each is set so that the computer will overwrite the oldest ent
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default behavior.
to capacity, they TITLE:Ensure Audit
will stop recording CCE-38276-2
information unless the retention method for each is set so that the computer will overwrite the oldest ent
ly, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated m
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
en -event
this islogs
the fill
default
to capacity,
behavior.
they TITLE:Ensure
will stop recording
AuditCCE-36160-0
information unless the retention method for each is set so that the computer will overwrite the oldest ent
dxplorer.admx/adml`
by Microsoft to _Family
that isSafety_
included
starting
with allwith
versions
the Microsoft
of the Microsoft
WindowsWindows
8.0 & Server
Administrative
2012 (non-R2)
Templates.
Administrative Templates.
ed- by
thisMicrosoft
is the default
to _File
behavior.
Explorer_TITLE:Enable
starting with the
AntiCCE-37809-1
Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ersions.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
is consistent.
mx/adml` that is
benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
orer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
g.admx/adml` that
benchmarks is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
zard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administrative Templates.
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
dml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
oviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
admx/adml`
benchmarksthat
is is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
consistent.
x/adml` that is is
benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
.admx/adml`
benchmarksthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
is consistent.
dge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
dmx/adml` that
benchmarks is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
dential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
benchmarks is consistent.
ienceVirtualization.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
c.admx/adml` that
benchmarks is is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administr
consistent.
ojection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Tem
up Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
osoft to _OneDrive_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
s can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the `WinRT` API. OneDrive doesn't appe
TITLE:Data Prote CCE-36939-7
se:**
can't
If your
access
organization
OneDrive uses
from Office
the OneDrive
365, beapp
aware
andthat
file this
picker.
setting
Windows
will prevent
Store users
apps can't
from access
saving files
OneDrive
to OneDrive/SkyDrive.
using the `WinRT` API. OneDrive doesn't appe
TITLE:Data Prote CCE-36939-7
e:**
benchmarks
If your organization
is consistent.
uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive.
upport.admx/adml`
benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
.admx/adml`
benchmarksthat
is consistent.
is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
ot.admx/adml`
benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
PresentationSettings.admx/adml`
benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
tall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Remote
erver.admx/adml` Desktop
that is included Services_
with starting
all versions of thewith the Microsoft
Microsoft WindowsWindows 7 & Server
Administrative 2008 R2 Administrative Templates.
Templates.
ient.
Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
password saving checkbox will be TITLE:AutomaticallCCE-36223-6
benchmarks is consistent.
erver.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver-Server.admx/adml`
p Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
erver.admx/adml`
ost that is included
Device and Resource with all versions of the Microsoft Windows Administrative Templates.
Redirection.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
redirection will not be possible TITLE:Data Prote CCE-36509-8
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
amed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
erver.admx/adml`
ost Security. that is included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot automatically log on to TITLE:Encrypt/Hash CCE-37929-7
erver.admx/adml`
ost that isfolders.
Session Temporary included with all versions of the Microsoft Windows Administrative Templates.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Protect InfoCCE-37946-1
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot set the Feed Sync EngiTITLE:Uninstall/Di CCE-37126-0
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Assess DataCCE-38277-0
benchmarks is consistent.
R.admx/adml`
benchmarks isthat
consistent.
is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release 1511 Administrative Templates.
nter.admx/adml`
benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
/adml`
benchmarks
that is only
is consistent.
included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
mx/adml`
benchmarks
that is
is included
consistent.
with all versions of the Microsoft Windows Administrative Templates.
.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
orm.
tionGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
.admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
mx/adml` that is
benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
I.admx/adml`
benchmarks that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsStore
is consistent.
c.admx/adml` that
benchmarks is is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
duler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
admx/adml`
benchmarksthat
is is only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and Microsoft Windows 10 Release 1511 A
consistent.
olorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
.
e.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
efender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emed
- thisbyisMicrosoft to behavior.
the default _Windows Defender Antivirus_
TITLE:Deploy Autom starting with the Microsoft Windows 10 Release 1703 Administrative Templates.
CCE-36082-6
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml`
ervice (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default behavior. TITLE:Malware D CCE-36940-5
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
e - this is the default configuratio TITLE:Deploy Autom
CCE-38389-3
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
ovable drives will be scanned duTITLE:Data Prote CCE-38409-9
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
efender.admx/adml`
benchmarks is consistent.
that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
admx/adml`
benchmarksthat
is is
consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
rd.admx/adml`
benchmarks isthat
consistent.
is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
efenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
ren.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
SmartScreen settings.
up Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
s will be warned before they ar TITLE:Inventory CCE-35859-8
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
emory dumps are uploaded accord TITLE:Data Prote CCE-36978-5
benchmarks is consistent.
rting.admx/adml`
nsent. that is included with all versions of the Microsoft Windows Administrative Templates.
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Data Prote CCE-37112-0
benchmarks is consistent.
benchmarks is consistent.
.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
dmx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
as renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates.
kWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Minimize AnCCE-36400-0
admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Disable this polic TITLE:Ensure Work CCE-36977-7
benchmarks is consistent.
ail.admx/adml`
benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Administrative Templates.
consistent.
er.admx/adml`
benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
consistent.
ediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
ollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
benchmarks is consistent.
essenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
MobilityCenter.admx/adml`
benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
er.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templates.
lExecutionPolicy.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
ing of PowerShell script input is TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
e - this is the default behavior. TITLE:Automatically Log Off Users After Standard Period Of Inactivity CONTROL:16.4 DESCRIPTION:Regularly monitor t
benchmarks is consistent.
ov.admx/adml`
ent (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
emoteManagement.admx/adml`
gement (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
emoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:User/Accoun
CCE-36310-1
emoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:User/Accoun
CCE-36254-1
emoteShell.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
admx/adml`
benchmarksthat is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Admi
is consistent.
sourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates
pdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
al operating system updates andTITLE:Use Automat CCE-36172-5
e benchmarks
- this is the default behavior.
is consistent. TITLE:Use Automat
CCE-37027-0
pdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
enamed by Microsoft
trative Templates to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Administrative Templates.
(ADMX).
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
vePrograms.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
nelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
deen
by Microsoft to provided
saver runs, _Personalization_ starting withWork
that thTITLE:Ensure theCCE-37970-1
Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ders.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
x/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
cations will not be able to raise TITLE:Ensure WorkCCE-36332-5
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
allation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
rection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
nagement.
cy.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ngs.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
nytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
benchmarks is consistent.
s renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
me.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
benchmarks is consistent.
at.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
tManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Email and CCE-37424-9
dmx/adml` that
benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ackup.admx/adml` that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well
benchmarks is consistent.
ent.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
benchmarks is consistent.
tion.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
benchmarks is consistent.
mx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
er.admx/adml`
benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
benchmarks is consistent.
mx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
dmx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
benchmarks is consistent.
zard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administrative Templates.
benchmarks is consistent.
el.admx/adml` that
benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
mx/adml` thatisisconsistent.
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` thatisisconsistent.
benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
dge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
benchmarks is consistent.
x/adml` that is is
benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ienceVirtualization.admx/adml`
benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
ojection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Update Administrative Tem
mx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
s cannot share files within their TITLE:Protect InfoCCE-38070-9
benchmarks is consistent.
PresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
erver.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
d by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
mx/adml`
benchmarks
thatisisconsistent.
included with all versions of the Microsoft Windows Administrative Templates.
mx/adml`
benchmarks
that is included
consistent.
with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
.admx/adml`
benchmarksthat
is consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
I.admx/adml`
benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012
is consistent.
dmx/adml`
benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
duler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
olorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
en.admx/adml`
benchmarks isthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
consistent.
benchmarks is consistent.
rting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
dmx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
as renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates.
adml` that is included with all versions of the Microsoft Windows Administrative Templates.
e - this is the default behavior. TITLE:Minimize AnCCE-37490-0
benchmarks is consistent.
admx/adml`
benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
ail.admx/adml`
benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Administrative Templates.
consistent.
er.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrative Templates.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
benchmarks is consistent.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
back.
ediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
es (or newer).
access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for cen
N:Ensure that all accounts have an expiration date that is monitored and enforced.;
access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for cen
re multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).;
re multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).;
ity-baseline-for-windows-10-creators-update-v1703-final/).
re that only ports, protocols, and services with validated business needs are running on each system.;
re that only ports, protocols, and services with validated business needs are running on each system.;
CRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/conta
ps://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)
DESCRIPTION:Limitation and Control of Network Ports, Protocols, and Services;
KB 3000483](https://support.microsoft.com/en-us/kb/3000483) security update and the Microsoft Windows 10 RTM (Release 1507) Administrative Templat
Workstations, and Servers CONTROL:3 DESCRIPTION:Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and
ring and Control;
es (or newer).
strative Templates.
(or newer).
inistrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
es (or newer).
configurations (including all CIS-recommended EMET settings) before widespread deployment to your environment.
CRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/conta
that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to Server 2016.
7) Administrative Templates.
plates.
ative Templates.
ve Templates.
1511 Administrative Templates.
roup Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
ve Templates.
lates (or newer).
rative Templates.
e Templates.
ve Templates.
4 DESCRIPTION:Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.;
ws 8.0 & Server 2012 (non-R2) Administrative Templates.
strative Templates.
(or newer).
2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Release 1511 Administrative Templates.
ative Templates.
rative Templates.
e Templates.
and security devices for centralized authentication as well.;
n 14 characters).;
n 14 characters).;
ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can b
07) Administrative Templates (or newer).
Laptops, Workstations, and Servers;
ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can b
emplates (or newer).
trative Templates.
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
e Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables.;
e Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables.;
section
recommendation
# # title status scoring status description rationale statement
remediation procedure
1 Account Policies accepted This section contains recommendations for account policies.
1.1 Password Policy accepted This section contains recommendations for password policy.
1.2 Account Lockout Paccepted This section contains recommendations for account lockout policy.
2 Local Policies accepted This section contains recommendations for local policies.
2.1 Audit Policy accepted This section is intentionally blank and exists to ensure the structure of Windo
2.2 User Rights Assi accepted This section contains recommendations for user rights
To establish assignments. configu
the recommended
This policy setting allows accounts to log on using the task scheduler service
2.2 2.2.29 (L2) Ensure 'Log on
acceptedfull The **Log on as a b```
The recommended state for this settingComputer
is: `Administrators`.
Configuration\Windows Setti
2.3 Security Options accepted This section contains recommendations ``` for security options.
2.3.1 Accounts accepted This section contains recommendations related to default accounts.
2.3.2 Audit accepted This section contains recommendations related to auditing controls.
2.3.3 DCOM accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.4 Devices accepted This section contains recommendations related to managing devices.
2.3.5 Domain controller accepted This section contains recommendations related to Domain Controllers.
2.3.6 Domain member accepted This section contains recommendations related to domain membership.
2.3.7 Interactive logon accepted This section contains recommendations related to interactive logons.
2.3.8 Microsoft network accepted This section contains recommendations related to configuring the Microsoft
2.3.9 Microsoft network accepted This section contains recommendations related to configuring the Microsoft
2.3.12 Recovery console accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.13 Shutdown accepted This section contains recommendations related to the Windows shutdown fu
2.3.14 System cryptogra accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.15 System objects accepted This section contains recommendations related to system objects.
2.3.16 System settings draft This section is intentionally blank and exists to ensure the structure of Windo
2.3.17 User Account Contaccepted This section contains recommendations related to User Account Control.
3 Event Log accepted This section is intentionally blank and exists to ensure the structure of Windo
4 Restricted Groups accepted This section is intentionally blank and exists to ensure the structure of Windo
5 System Services accepted This section is intentionally blank and exists to ensure the structure of Windo
6 Registry accepted This section is intentionally blank and exists to ensure the structure of Windo
7 File System accepted This section is intentionally blank and exists to ensure the structure of Windo
8 Wired Network (IEaccepted This section is intentionally blank and exists to ensure the structure of Windo
9 Windows Firewall accepted This section contains recommendations for configuring the Windows Firewa
9.1 Domain Profile accepted This section contains recommendations for the Domain Profile of the Windo
9.2 Private Profile accepted This section contains recommendations for the Private Profile of the Window
9.3 Public Profile accepted This section contains recommendations for the Public Profile of the Window
10 Network List Manaaccepted This section is intentionally blank and exists to ensure the structure of Windo
11 Wireless Network accepted This section is intentionally blank and exists to ensure the structure of Windo
12 Public Key Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
13 Software Restricti accepted This section is intentionally blank and exists to ensure the structure of Windo
14 Network Access Praccepted This section is intentionally blank and exists to ensure the structure of Windo
15 Application Controaccepted This section is intentionally blank and exists to ensure the structure of Windo
16 IP Security Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
17 Advanced Audit Poaccepted This section contains recommendations for configuring the Windows audit fa
17.1 Account Logon accepted This section contains recommendations for configuring the Account Logon a
17.2 Account Managemaccepted This section contains recommendations for configuring the Account Manage
17.3 Detailed Tracking accepted This section contains recommendations for configuring the Detailed Tracking
17.4 DS Access accepted This section contains recommendations for configuring the Directory Service
17.5 Logon/Logoff accepted This section contains recommendations for configuring the Logon/Logoff aud
17.6 Object Access accepted This section contains recommendations for configuring the Object Access au
17.7 Policy Change accepted This section contains recommendations for configuring the Policy Change a
17.8 Privilege Use accepted This section contains recommendations for configuring the Privilege Use au
17.9 System accepted This section contains recommendations for configuring the System audit pol
18 Administrative Te accepted This section contains computer-based recommendations from Group Policy
This section contains recommendations for Control Panel settings.
18.1 Control Panel accepted
Group Policy
This section section
contains is provided by for
recommendations theControl
Group Policy template `Window
Panel personalization se
18.1.1 Personalization accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy template
Microsoft `Control
Local Adm
18.2 LAPS accepted
Group Policy
This section section
contains is provided
settings by the Group
for configuring Policy
additional template
settings from`AdmPw
the MS
18.3 MS Security Guid accepted
Group Policy
This section section
contains is provided by for
recommendations thethe
Group PolicySolutions
Microsoft template for
`SecGui
Secu
To establish the recommended configu
18.4 MSS (Legacy) accepted
Groupcontrols
This value Policy section is provided
how often by the to
TCP attempts Group
verifyPolicy template
that an `MSS-le
idle connection
``` establish the recommended configu
To
18.4 18.4.5 (L2) Ensure 'MSS: acceptedfull An attacker who is
Computer Configuration\Policies\Admin
The recommended
This setting is used state for this
to enable setting is:
or disable the`Enabled: 300,000
Internet Router or 5 minutes
Discovery Proto(
```
``` establish the recommended configu
To
18.4 18.4.7 (L2) Ensure 'MSS: acceptedfull An attacker who h
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This setting controlsstate for this setting
the number of timesis:that
`Disabled`.
TCP retransmits an individual
```
``` establish the recommended configu
To
18.4 18.4.10 (L2) Ensure 'MSS:acceptedfull A malicious user c
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This setting controlsstate for this setting
the number of timesis:that
`Enabled: 3`.
TCP retransmits an individual
```
```
18.4 18.4.11 (L2) Ensure 'MSS:acceptedfull A malicious user c
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This section contains state for this setting is:
recommendations for`Enabled: 3`.
network settings.
```
18.5 Network accepted
**Note:** This Group Policy path does
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy
the template
structure `Window
of Windo
18.5.1 Background Intelli accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Bits.adm
of Windo
18.5.2 BranchCache accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `PeerTo
of Windo
18.5.3 DirectAccess Clie accepted
This Group
sectionPolicy section
contains is provided by related
recommendations the Group Policy
to DNS template `nca.adm
Client.
18.5.4 DNS Client accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DnsClie
of Windo
18.5.5 Fonts draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.5.6 Hotspot Authentic accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `hotspot
of Windo
18.5.7 Lanman Server accepted
This Group Policy section is provided by the Group Policy template `Lanman
This section is intentionally blank and exists to ensure the structure of Windo
18.5.8 Lanman Workstati draft
This section
Group Policy
containssection
recommendations
is providedTo byestablish
for
theLink-Layer
Groupthe PolicyTopology
template
recommended Discovery
`Lanman
configus
18.5.9 Link-Layer Topolo accepted This policy setting changes the operational behavior of the Mapper I/O netw
This Group Policy section is providedTo ```
byestablish
the Groupthe Policy template `LinkLay
recommended configu
18.5.9 18.5.9.1 (L2) Ensure 'Turn acceptedfull LLTDIO
This allows
policy a computer
setting To help protect
changes to
thediscover
fr Computer
the topology
operational Configuration\Policies\Admin
behavior ofofathe
network it's connect
Responder netwo
```
18.5.9 18.5.9.2 (L2) Ensure 'Turn acceptedfull The Responder
recommended allows
To
state
help
a computer
forprotect
this setting
frtoComputer
participate
is: `Disabled`.
Configuration\Policies\Admin
in Link Layer Topology Disc
This section contains recommendations **Note:**
```
To Thisthe
for Microsoft
establish Group Policy path
Peer-to-Peer
recommended is pro
Networki
configu
18.5.10 Microsoft Peer-to accepted recommended
The Peer state for Protocol
Name Resolution this setting is: `Disabled`.
(PNRP) allows for distributed resolution
This Group Policy section is provided``` **Note:**
by the GroupThis Group
Policy template
Policy path`P2P-pn
is pro
18.5.10 18.5.10. (L2) Ensure 'Turn acceptedfull Peer-to-Peer protocols
This allow
settingforenhan
applications
Computer in the
Configuration\Policies\Admin
areas of RTC, collaborat
This section is intentionally blank and``` exists to ensure the structure of Windo
18.5.10.1 Peer Name Resolut
accepted The recommended state for this setting is: `Enabled`.
Group Policy
This section containssection is provided**Note:**
recommendations by for
theNetwork
Group
This Group
Policy template
Policy path
Connections `P2P-pn
is pro
settings.
18.5.11 Network Connecti accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `Network
18.5.11.1 Windows Defenderaccepted This Group Policy section is provided by the Group Policy template `Window
This section is intentionally blank and exists to ensure the structure of Windo
18.5.12 Network Connectiviaccepted **Note:** This section was initially named _Windows Firewall_ but was rena
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy
the template
structure `NCSI.a
of Windo
18.5.13 Network Isolation accepted
Group Policy
This section section
contains is provided by for
recommendations theNetwork
Group Policy template
Provider `Network
settings.
18.5.14 Network Provider accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Network
of Windo
18.5.15 Offline Files accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `OfflineF
of Windo
18.5.16 QoS Packet Schedaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `QOS.ad
of Windo
18.5.17 SNMP accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Snmp.a
of Windo
18.5.18 SSL Configurationaccepted
Group Policy
This section section
contains is provided
TCP/IP by thesettings.
configuration Group Policy template `CipherS
18.5.19 TCPIP Settings accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `tcpip.ad
of Windo
18.5.19.1 IPv6 Transition T accepted To establish the recommended configu
Group Policy
This section section
contains is provided
TCP/IP parameter by configuration
the Group Policy template `tcpip.ad
settings.
18.5.19.2 Parameters accepted ```
This Group
Internet Policyversion
Protocol section6is(IPv6)
provided by the Group Policy template `tcpip.ad
is aHKEY_LOCAL_MACHINE\SYSTEM\C
set of protocols that computers use to
18.5.19. 18.5.19.2(L2) Disable IPv6 acceptedfull Since the vast maj```
The recommended
This section containsstate for this setting
recommendations To is:
for`DisabledComponents
Windows
establish the Connect Now
recommended - 0xff (255
settings.
configu
18.5.20 Windows Connect accepted **Note:** This change does not take ef
Group setting
This policy Policy section is provided
allows the byestablish
configuration
```
To the
ofGroup Policy
wireless
the template
settings
recommendedusing`Window
Window
configu
18.5.20 18.5.20. (L2) Ensure 'Confi acceptedfull **Note #2:**
This setting enhanComputer Although Microsoft does n
Configuration\Policies\Admin
The recommended
This state foraccess
policy setting prohibits this setting
to``` is: `Disabled`.
Windows Connect Now (WCN) wizard
18.5.20 18.5.20. (L2) Ensure 'Prohi acceptedfull Allowing standard Computer Configuration\Policies\Admin
The recommended
This section containsstate
recommendations **Note:**
for this setting
``` is: This Group
for`Enabled`.
Windows Policy path
Connection is pros
Manager
18.5.21 Windows Connect accepted
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`WCM.a n
Windo
18.6 Printers accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.7 Start Menu and T accepted
Group Policy
This section section
contains is provided by for
recommendations theSystem
Group Policy template `Window
settings.
18.8 System accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.1 Access-Denied Asaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
18.8.2 App-V accepted
This Group
sectionPolicy section
contains is provided
settings byauditing
related to the Group Policy template
of process creation`appv.ad
events.
18.8.3 Audit Process Cre accepted
This Group
sectionPolicy section
contains is provided
settings byCredential
related to the Group Delegation.
Policy template `AuditSe
18.8.4 Credentials Deleg accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CredSs
of Windo
18.8.5 Device Guard accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DeviceG
of Windo
18.8.6 Device Health Atteaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `TPM.ad
of Windo
18.8.7 Device Installationdraft
This Group Policy section is provided by the Group Policy template `DeviceI
This section is intentionally blank and exists to ensure the structure of Windo
18.8.8 Device Redirectio accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DeviceR
of Windo
18.8.9 Disk NV Cache accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskNV
of Windo
18.8.10 Disk Quotas accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskQu
of Windo
18.8.11 Display accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Display
of Windo
18.8.12 Distributed COM accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DCOM.
of Windo
18.8.13 Driver Installation accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy template
boot-start `DeviceI
driver initia
18.8.14 Early Launch Anti accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `EarlyLa
of Windo
18.8.15 Enhanced Storageaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Enhanc
of Windo
18.8.16 File Classification accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
18.8.17 File Share Shado accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `FileServ
of Windo
18.8.18 File Share Shado accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy templates `FileSe
18.8.19 Filesystem (forme accepted This Group Policy section is provided by the Group Policy template `FileSys
This section is intentionally blank and exists to ensure the structure of Windo
18.8.20 Folder Redirectionaccepted **Note:** This section was initially named _NTFS Filesystem_ but was renam
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy template
group `FolderR
policy-related
18.8.21 Group Policy accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.8.21.1 Logging and traci accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Internet `GroupPM
Communication
18.8.22 Internet Communi accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Internet template `Window
Communication
recommended configus
18.8.22.1 Internet Communicaccepted This setting turns off data sharing from the handwriting recognition personal
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `Window
recommended configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The handwriting
Turns recognition
A person's
off the handwriting personalization
handwriComputer
recognition toolConfiguration\Policies\Admin
enables
error reporting tool. Tablet PC users to
``` establish the recommended configu
To
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull recommended
The handwriting Astate
recognitionfor this
person's errorsetting
handwri is: `Enabled`.
reporting
Computer tool Configuration\Policies\Admin
enables users to report error
This policy setting specifies whether the **Note:**
```
To InternetThis
establish Group
Connection
the Policy
recommended pathcan
Wizard may n
con
configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull The recommendedInstate for this setting
an enterprise is: `Enabled`.
m Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting
the
```
To is: Thisthe
`Enabled`.
Windows
establish Group Policy
Registration
recommended pathconfigu
Wizard isconn
pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull Users in an enterpComputer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting is:
Search
```
To Thisthe
`Enabled`.
Companion
establish Group Policyautomatical
should
recommended pathconfigu
is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull This policy setting There is awhether
specifies small r the
Computer
"Order Configuration\Policies\Admin
Prints Online" task is availab
The recommended state for this setting **Note:**
```
To is: Thisthe
`Enabled`.
establish Group Policy pathconfigu
recommended is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The Order Prints Online
In an enterprise
Wizard is used
m Computer
to download
Configuration\Policies\Admin
a list of providers and a
This policy setting specifies whether the **Note:**
```
To Thisthe
tasks Publish
establish Group
this Policy pathWeb,
file to the
recommended is pro
P
configu
18.8.22. 18.8.22. (L2) Ensure 'Turn oacceptedfull The recommendedUsers state may
for this setting
publish c is: `Enabled`.
Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting is:
Windows
```
To Thisthe
`Enabled`. Group
Messenger
establish Policy
can
recommended pathconfigu
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Large enterprise Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting is:
Windows
```
To Thisthe
`Enabled`. Group
Messenger
establish Policy
can
recommended pathconfigu
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull This policy setting Large
controlsenterprise
whether orComputer
not errorsConfiguration\Policies\Admin
are reported to Microsoft.
Microsoft uses information collected through **Note:**the
``` This Group Policy
Windows Customer pathExperie
is pro
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Error Reporting is used
If a Windows
to reportError
information
Computer about
Configuration\Policies\Admin
a system or application th
This section is intentionally blank and``` **Note:**
exists to This
ensureGroup Policy path
the structure of is pro
Windo
18.8.23 iSCSI accepted The recommended state for this setting is: `Enabled`.
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
the template
structure of is pro
`iSCSI.a
Windo
18.8.24 KDC accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `KDC.ad
of Windo
18.8.25 Kerberos draft
This Group
sectionPolicy section
contains is providedTo
recommendations byestablish
theLocale
for Groupthe
Policy
Servicestemplate `Kerbero
settings.
recommended configu
18.8.26 Locale Services accepted
Group prevents
This policy Policy section is provided
automatic copying byofthe
``` Group
user inputPolicy template
methods to the`Globaliz
system
18.8.26 18.8.26. (L2) Ensure 'Disal acceptedfull This is a way to i Computer Configuration\Policies\Admin
The recommended
This state
section contains for this setting
recommendations ``` is: `Enabled`.
related to the logon process and loc
18.8.27 Logon accepted
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may n
`Logon.a
Windo
18.8.28 Mitigation Options draft
This Group Policy section is provided by the Group Policy template `GroupP
This section is intentionally blank and exists to ensure the structure of Windo
18.8.29 Net Logon accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Netlogo
of Windo
18.8.30 OS Policies accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `OSPolic
of Windo
18.8.31 Performance Contraccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `PerfCen
of Windo
18.8.32 PIN Complexity accepted
This section
Group Policy
contains
section
recommendations
is provided by for
thePower
GroupManagement
Policy template
settings.
`Passpo
18.8.33 Power Managemeaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.1 Button Settings accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.2 Energy Saver Settaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.3 Hard Disk Setting accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.4 Notification Settin accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.5 Power Throttling Saccepted
Group Policy
This section section
contains is provided by related
recommendations the Group PolicyManagement
to Power template `Power.a
Slee
18.8.33.6 Sleep Settings accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.34 Recovery accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Remote `ReAgen
Assistance.
18.8.35 Remote Assistanc accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Remote `Remote
Procedure Call.
18.8.36 Remote Procedureaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `RPC.ad
of Windo
18.8.37 Removable Storagaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Remova
of Windo
18.8.38 Scripts accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Scripts.
of Windo
18.8.39 Server Manager accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `ServerM
of Windo
18.8.40 Shutdown accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `WinInit.
of Windo
18.8.41 Shutdown Optionsaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Winsrv.
of Windo
18.8.42 Storage Health accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Storage
of Windo
18.8.43 System Restore accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template and
to Troubleshooting `System
Diag
18.8.44 Troubleshooting a accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.44.1 Application Compataccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `pca.adm
of Windo
18.8.44.2 Corrupted File Re accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `FileRec
of Windo
18.8.44.3 Disk Diagnostic accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DiskDia
of Windo
18.8.44.4 Fault Tolerant He accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
the template
Microsoft
recommended `fthsvc.a
Support Dia
configu
18.8.44.5 Microsoft Support accepted
Group setting
This policy Policy section is provided
configures Microsoft bySupport
``` the Group Policy template
Diagnostic `MSDT.a
Tool (MSDT) inte
18.8.44. 18.8.44.5(L2) Ensure 'Microacceptedfull Due to privacy conComputer Configuration\Policies\Admin
The recommended
This state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the structure of Windo
18.8.44.6 MSI Corrupted Fil accepted
This Group
sectionPolicy section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may n
`Msi-File
Windo
18.8.44.7 Scheduled Mainte accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `sdiagsc
of Windo
18.8.44.8 Scripted Diagnost accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `sdiagen
of Windo
18.8.44.9 Windows Boot Peraccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Perform
of Windo
18.8.44.10 Windows Memory accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `LeakDia
Performance Pe
18.8.44.11 Windows Performaaccepted
This Group Policy section is provided by the Group Policy template `Perform
To establish the recommended configu
**Note #2:** EMET has been reported to be very problematic on 32-bit OSes
**Note #3:** Microsoft has announced that EMET will be End-Of-Life (EOL)
This section is intentionally blank and exists to ensure the structure of Windo
18.9.25 Event Forwarding accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Event Log
`EventFo
Servic
18.9.26 Event Log Serviceaccepted
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Application
`EventLo
Even
18.9.26.1 Application accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Security `EventLo
Event L
18.9.26.2 Security accepted
This section
Group Policy
contains
section
recommendations
is provided by for
theconfiguring
Group Policy
thetemplate
Setup Event
`EventLo
Log
18.9.26.3 Setup accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy
thetemplate `EventLo
System Event Lo
18.9.26.4 System accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `EventLo
of Windo
18.9.27 Event Logging accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `EventLo
of Windo
18.9.28 Event Viewer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `EventV
18.9.29 Family Safety (for accepted Group Policy
This section section
contains is provided by to
recommendations thecontrol
Groupthe
Policy template
availability of `Parenta
options
r account policies.
r password policy.
r security options.
he Group Policy
r Control template `Windows.admx/adml`
Panel personalization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring template
Microsoft `ControlPanelDisplay.admx/adml`
Local that(LAPS).
Administrator Password Solution is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
he
ng Group Policy
additional template
settings from`AdmPwd.admx/adml` that is included with LAPS.
the MS Security Guide.
he Group
r the PolicySolutions
Microsoft template for
`SecGuide.admx/adml`
Security (MSS) settings.that is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2017/08/30/secu
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `MSS-legacy.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](ht
```
Navigate to the UI Keep-alive packets
Path articulated areRemediation
in the not sent by dsection
TITLE:Limitation
and confirmCCE-36868-8
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:KeepAliveTime
```
```
Navigate to the UI Windows will notinautomatically
Path articulated the Remediationdete section
TITLE:Limitation
and confirmCCE-38065-9
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:PerformRouterDiscovery
```
```
Navigate to the UI TCP
Path starts a retransmission
articulated timer whTITLE:Limitation
in the Remediation section and confirmCCE-37846-3
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:TcpMaxDataRetransmissions
```
``` TCP starts a retransmission timer whTITLE:Limitation CCE-36051-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:TcpMaxDataRetransmissions
r network settings.
```
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml`
of Windows benchmarks thatis is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Bits.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `PeerToPeerCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
elated Policy
to DNS template `nca.admx/adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Client.
he Group
ts to Policy
ensure the template
structure `DnsClient.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `GroupPolicy.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
consistent.
he Group
ts to Policy
ensure the template
structure `hotspotauth.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
consistent.
he Group Policy template `LanmanServer.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
ts to ensure the structure of Windows benchmarks is consistent.
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnDomain
he
r Link-Layer
Group Policy
Topology
template
Discovery
`LanmanWorkstation.admx/adml`
settings. that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnDomain
```
he Group Policy template `LinkLayerTopologyDiscovery.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnPublicNet
```
None - this is the default behavior. TITLE:Limitation CCE-38170-7
```
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnPublicNet
None - this is the default behavior. TITLE:Limitation CCE-37959-4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableLLTDIO
```
r Microsoft Peer-to-Peer Networking Services settings.
```
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableRspndr
he Group Policy template `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitLLTDIOOnPrivateNet
```
``` Microsoft Peer-to-Peer Networking Ser TITLE:Limit Open CCE-37699-6
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet:Disabled
ts to ensure the structure of Windows benchmarks is consistent.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitRspndrOnPrivateNet
```
```
he Group Policy
r Network templatesettings.
Connections `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `NetworkConnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsFirewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Firewall_ but was renamed by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative T
he Group
ts to Policy
ensure the template
structure `NCSI.admx/adml`
of Windows benchmarksthat is is
included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r Network template
Provider `NetworkIsolation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates
settings.
he Group
ts to Policy
ensure the template
structure `NetworkProvider.admx/adml` that is included with the [MS15-011](https://technet.microsoft.com/library/security/MS15-011) / [MS
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `OfflineFiles.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `QOS.admx/adml` that is is
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Snmp.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
nhesettings.
Group Policy template `CipherSuiteOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `tcpip.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group Policy
onfiguration template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
settings.
Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. E
he Group Policy template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Navigate to the UIReThis
Pathregistry change
articulated in theis Remediation
documented section
inTITLE:Limitation
Microsoft Knowledge
and
and confirm Control
it is Base
set asarticle
of Network
929852:
prescribed.Ports,
[How
This Protocols,
to disable
group policyand
IPv6
Services
settingorisits components
CONTROL:9
backed in
by the fo
r Windows Connect Now settings.
``` **Note:** This registry change does not take effect until the next reboot.
he Group Policy template `WindowsConnectNow.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:EnableRegistrars
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableUPnPRegistrar
Navigate to the UI WCN operationsinare
Path articulated thedisabled over alTITLE:Configure
Remediation section and confirmOn
CCE-37481-9
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableInBand802DOT11Registrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableFlashConfigRegistrar
``` The WCN wizards are turned off and TITLE:Configure
us On
CCE-36109-7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableWPDRegistrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI:DisableWcnUi
r Windows Connection Manager settings.
```
he Group
ts to Policy
ensure the template
structure `WCM.admx/adml` that isisincluded
of Windows benchmarks with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r System template `Windows.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `srm-fci.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
uditing Policy template
of process creation`appv.admx/adml`
events. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
he Group Delegation.
redential Policy template `AuditSettings.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer
he Group
ts to Policy
ensure the template
structure `CredSsp.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `DeviceGuard.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
consistent.
he Group
ts to Policy
ensure the template
structure `TPM.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
he Group Policy template `DeviceInstallation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `DeviceRedirection.admx/adml`
of Windows benchmarks is consistent.
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he
ts to
Group
ensure
Policy
the template
structure `DiskNVCache.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `DiskQuota.admx/adml`
of Windows benchmarksthat
is consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `Display.admx/adml`
of Windows benchmarks
that is
is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DCOM.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r configuring template
boot-start `DeviceInstallation.admx/adml`
driver initialization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `EarlyLaunchAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `EnhancedStorage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `srm-fci.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
ts to Policy
ensure the template
structure `FileServerVSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy templates `FileServerVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group Policy template `FileSys.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group Policy
r configuring template
group `FolderRedirection.admx/adml`
policy-related settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `GroupPolicy.admx/adml`
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated Policy template
to Internet `GroupPolicyPreferences.admx/adml`
Communication Management. that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Template
he Group
elated Policy template
to Internet `Windows.admx/adml`
Communication settings. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Tablet PC users in
Path articulated cannot choose to sha
the Remediation TITLE:Data
section Prote CCE-37911-5
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC:PreventHandwritingDataSharing
```
```
Navigate to the UI Users cannot start
Path articulated handwriting rec
in the Remediation TITLE:Data
section Prote CCE-36203-8
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports:PreventHandwritingErrorReports
```
```
Navigate to the UI The
Path"Choose a list
articulated of Internet
in the Servicsection
Remediation TITLE:Data Prote CCE-37163-3
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard:ExitOnMSICW
```
```
Navigate to the UI Users are blocked
Path articulated in from connecting to
the Remediation Microsoft.com
section forCCE-36352-3
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration
Search Companion does not download content updates during Wizard Control:NoRegistration
searches.
```
```
Navigate to the UI Path articulated in the Remediation section TITLE:Data Prote CCE-36884-5
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion:DisableContentFileUpdates
**Note:** Internet searches will still send the search text and information about the search to Microsoft and the chosen sear
```
```
Navigate to the UI The
Pathtask "Order Prints
articulated Online" is remTITLE:Data
in the Remediation Prote CCE-38275-4
section and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoOnlinePrintsWizard
```
```
Navigate to the UI The
Path"Publish to Web"
articulated in thetask is removed
Remediation TITLE:Data
section Prote CCE-37090-8
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoPublishingWizard
```
```
Navigate to the UI Windows Messenger
Path articulated in thewill not collect section
Remediation us
TITLE:Data Prote CCE-36628-6
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client:CEIP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
```
``` All users are opted out of the Win TITLE:Data Prote CCE-36174-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows:CEIPEnable
```
``` Users are not given the option to repoTITLE:Data Prote CCE-35964-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting:Disabled
ts to ensure the structure of Windows benchmarks is consistent.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting:DoReport
```
he Group
ts to Policy
ensure the template
structure `iSCSI.admx/adml`
of Windows benchmarks that isisincluded with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `KDC.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
is consistent.
he GroupServices
r Locale Policy template `Kerberos.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Globalization.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Users will have input methods enableTITLE:Ensure Work CCE-36343-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control
elated to the logon process and lock screen. Panel\International:BlockUserInputMethodsForSignIn
```
he Group
ts to Policy
ensure the template
structure `Logon.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy template `GroupPolicy.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newe
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `Netlogon.admx/adml`
of Windows benchmarksthat
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `OSPolicy.admx/adml`
of Windows benchmarksthat
is is
consistent.
included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he
ts to
Group
ensure
Policy
the template
structure `PerfCenterCPL.admx/adml`
of Windows benchmarks is consistent.
that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non
he
r Power
GroupManagement
Policy template
settings.
`Passport.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or ne
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated PolicyManagement
to Power template `Power.admx/adml`
Sleep mode. that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated Policy template
to Remote `ReAgent.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Assistance.
he Group
elated Policy template
to Remote `RemoteAssistance.admx/adml`
Procedure Call. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `RPC.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `RemovableStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Scripts.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `ServerManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WinInit.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
ts to Policy
ensure the template
structure `Winsrv.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `StorageHealth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
of Windows benchmarks is consistent.
he Group
elated Policy template and
to Troubleshooting `SystemRestore.admx/adml`
Diagnostics. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `pca.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `FileRecovery.admx/adml`
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `DiskDiagnostic.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy
to the template
Microsoft `fthsvc.admx/adml`
Support that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Diagnostic Tool.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `MSDT.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` MSDT cannot run in support mode, and TITLE:Data Prote CCE-38161-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy:DisableQueryRemoteServer
ts to ensure the structure of Windows benchmarks is consistent.
```
he Group
ts to Policy
ensure the template
structure `Msi-FileRecovery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `sdiagschd.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `sdiageng.admx/adml`
of Windows benchmarksthat
is is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `PerformanceDiagnostics.admx/adml`
of Windows benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Windows `LeakDiagnostic.admx/adml`
Performance PerfTrack. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `PerformancePerftrack.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group
elated Policy
to the template
Windows Time`HotStart.admx/adml`
Service. that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Ad
he Group
elated Policy
to Time template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Providers.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` You can set the local computer clockTITLE:Use At LeasCCE-37843-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient:Enabled
r Windows Component settings.
```
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml`
of Windows benchmarks that
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `adfs.admx/adml` that is only
of Windows benchmarks included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Admin
is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `ActiveXInstallService.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure `AppxPackageManager.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Temp
he Group
r App Policysettings.
runtime template `AppPrivacy.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `AppXRuntime.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
of Windows benchmarks is consistent.
he Group Policy
r AutoPlay template `AppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
policies.
he Group
ts to Policy
ensure the template
structure `AutoPlay.admx/adml`
of Windows benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `UserDataBackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Adm
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Biometrics.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `VolumeEncryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Camera.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or n
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
of Windows benchmarks is consistent.
he Group
elated Policy
to the template
Credential `WirelessDisplay.admx/adml`
User Interface. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
he Group
ts to Policy
ensure the template
structure `CredUI.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `DeliveryOptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Sidebar.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DWM.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `DeviceCompat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `WorkplaceJoin.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
ts to ensure the
r configuring structure
Microsoft of Windows
Enhanced benchmarks
Mitigation is consistent.
Experience Toolkit (EMET).
_Workplace Join_ but was renamed by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Tem
ts to
he ensure
Group the template
Policy `DigitalLocker.admx/adml`
structure `EMET.admx/adml`
of Windows benchmarks that is included
that isisincluded
consistent. with all versions
with Microsoft EMET. of the Microsoft Windows Administrative Templates.
he Group
ware Policyby
developed template `EdgeUI.admx/adml`
Microsoft that is to
that allows an enterprise included with the
apply exploit Microsoft to
mitigations Windows 8.1 &that
applications Server
run 2012 R2 Administrative
on Windows. Templates
Many of these (or newer).
mitigations were later
at enhancing exploit protection on Windows server OSes prior to Server 2016, it is highly recommended that compatibility testing is done on typical server
be very problematic on 32-bit OSes - we only recommend using it with 64-bit OSes.
t EMET will be End-Of-Life (EOL) on July 31, 2018. This does not mean the software will stop working, only that Microsoft will not update it any further past
ts to ensure the structure of Windows benchmarks is consistent.
he
r configuring
Group Policy
thetemplate
Event Log
`EventForwarding.admx/adml`
Service. that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or ne
he
r configuring
Group Policy
thetemplate
Application
`EventLog.admx/adml`
Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he
r configuring
Group Policy
thetemplate
Security `EventLog.admx/adml`
Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he
r configuring
Group Policy
thetemplate
Setup Event
`EventLog.admx/adml`
Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring thetemplate `EventLog.admx/adml`
System Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `EventLog.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `EventLogging.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `EventViewer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
hecontrol
Groupthe
Policy template
availability of `ParentalControls.admx/adml` that
options such as menu items and is only
tabs included
in dialog with the Microsoft Windows Vista through the Windows 10 RTM (Release 150
boxes.
_Parental
he Controls_
Group Policy but was
template renamed by Microsoft to _Family
`WindowsExplorer.admx/adml` that isSafety_ starting
included with allwith the Microsoft
versions WindowsWindows
of the Microsoft 8.0 & Server 2012 (non-R2)
Administrative Administrative Tem
Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group
ts to Policy
ensure the template
structure `PreviousVersions.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `FileHistory.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
is consistent.
he Group
ts to Policy
ensure the template
structure `FindMy.admx/adml` that is
of Windows benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `GameExplorer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Handwriting.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `Sharing.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `CaptureWizard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administr
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `InetRes.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
s and Policy template `IIS.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Sensors.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Sensors.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
``` The location feature is turned off, a TITLE:Data Prote CCE-36886-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableLocation
s Location Provider.
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `LocationProviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templ
``` The Windows Location Provider feature is turned off, a CCE-38225-9
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableWindowsLocationProvider
ts to ensure the structure of Windows benchmarks is consistent.
```
he Group
ts to Policy
ensure the template
structure `msched.admx/adml`
of Windows benchmarks thatisisconsistent.
included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newe
he Group
ts to Policy
ensure the template
structure `WinMaps.admx/adml` that
of Windows benchmarks is is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `MDM.admx/adml` that is is
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
consistent.
he Group
ts to Policy
ensure the template
structure `Messaging.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `MSAPolicy.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `MicrosoftEdge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or ne
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `FidoAuth.admx/adml`
of Windows benchmarksthat
is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `DeviceCredential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templ
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `UserExperienceVirtualization.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administr
he Group
ts to Policy
ensure the template
structure `Conf.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group Policy template `NAPXPQec.admx/adml` that is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update
ts to ensure the structure of Windows benchmarks is consistent.
elated to OneDrive.
he Group Policy template `NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
n this section are provided by the Group Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administr
ts to ensure the structure of Windows benchmarks is consistent.
_SkyDrive_ but was renamed by Microsoft to _OneDrive_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `HelpAndSupport.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `PswdSync.admx/adml`
of Windows benchmarksthat
is consistent.
is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R
he Group
ts to Policy
ensure the template
structure `ExternalBoot.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or n
consistent.
he Group
ts to Policy
ensure the template
structure `MobilePCPresentationSettings.admx/adml`
of Windows benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
elated to Remote Desktop Services.
he Group Policy template `PushToInstall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
_Terminal
he Services_
Group Policy but was
template renamed by Microsoft to _Remote
`TerminalServer.admx/adml` Desktop
that is included Services_
with starting
all versions of thewith the Microsoft
Microsoft WindowsWindows 7 & Server
Administrative 2008 R2 Administrative
Templates.
r the Remote Desktop Connection Client.
_TS Licensing_ but was renamed by Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
r the Remote Desktop Session Host.
he Group Policy template `TerminalServer.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrat
he Group Policytotemplate
r Connections `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (o
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. CCE-37708-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
elated to Remote Desktop Session Host Device and Resource Redirection. NT\Terminal Services:fSingleSessionPerUser
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Users in a Remote
Path articulated Desktop
in the Servicessection
Remediation TITLE:Limit
se Open CCE-37696-2
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableCcm
```
```
Navigate to the UI Users in a Remote
Path articulated Desktop
in the Servicessection
Remediation TITLE:Limit
se Open CCE-37778-8
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableLPT
```
``` Users in a Remote Desktop ServicesTITLE:Limit
se Open CCE-37477-7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. NT\Terminal Services:fDisablePNPRedir
```
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_TS Connection Broker_ but was renamed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
elated Policy template
to Remote Desktop `TerminalServer.admx/adml`
Session Host Security. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Remote Desktop `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Session Host Session Time Limits.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Remote DesktopinServices
Path articulated will automat
the Remediation TITLE:Ensure
section Work
and confirm CitCE-37562-6
is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:MaxIdleTime
```
``` Disconnected Remote Desktop sessions TITLE:Ensure Work CCE-37949-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
elated to Remote Desktop Session Host Session Temporary folders. NT\Terminal Services:MaxDisconnectionTime
```
he Group
elated Policy
to RSS template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
feeds.
he Group settings.
r Search Policy template `InetRes.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Search.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Usage information from Search is shar TITLE:Data Prote CCE-36937-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows
ts to ensure the structure of Windows benchmarks is consistent. Search:ConnectedSearchPrivacy
```
he Group
ts to Policy
ensure the template
structure `SearchOCR.admx/adml`
of Windows benchmarks isthat is only included with the Microsoft Windows 7 & Server 2008 R2 through the Windows 10 Release
consistent.
he Group Policy template `SecurityCenter.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `Snis.admx/adml`
of Windows benchmarks
that is only
is consistent.
included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Upd
he
ts to
Group
ensure
Policy
the template
structure `WinInit.admx/adml`
of Windows benchmarks
that is
is included
consistent.
with all versions of the Microsoft Windows Administrative Templates.
elated
he Groupto the
Policy
Software
template
Protection
`SmartCard.admx/adml`
Platform. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `AVSValidationGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or
``` The computer is prevented from sending data to Microsoft regarding its KMS client activation state.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. NT\CurrentVersion\Software Protection Platform:NoGenTicket
```
he Group
ts to Policy
ensure the template
structure `SoundRec.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `Speech.admx/adml` that is
of Windows benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `WinStoreUI.admx/adml`
of Windows benchmarks that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the G
is consistent.
he Group
ts to Policy
ensure the template
structure `SettingSync.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or n
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `TaskScheduler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `TextInput.admx/adml`
of Windows benchmarks that
is is only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and M
consistent.
he Group
ts to Policy
ensure the template
structure `WinCal.admx/adml` that is consistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WindowsColorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
elated to Windows Defender Antivirus.
he Group Policy template `CEIPEnable.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsDefender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
d _Windows Defender_ but was renamed by Microsoft to _Windows Defender Antivirus_ starting with the Microsoft Windows 10 Release 1703 Administrat
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
elated Policy template
to Microsoft `WindowsDefender.admx/adml`
Active Protection Service (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is in effect when th
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
``` None - this is the default behavior.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. Defender\Spynet:SpynetReporting
```
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newe
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he GroupProtection.
eal-time Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he GroupDefender
Windows Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Reporting.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
``` Watson events will not be sent to MicTITLE:Data Prote CCE-36950-4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Windows Defender scanning. Defender\Reporting:DisableGenericRePorts
```
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newe
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `AppHVSI.admx/adml` that
of Windows benchmarks is is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `ExploitGuard.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
he Group Policy template `WindowsDefenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Temp
SmartScreen settings.
he
r Explorer-related
Group Policy template
Windows
`SmartScreen.admx/adml`
Defender SmartScreen settings.
that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
elated
n this section
to Windows
are provided
Error Reporting.
by the Group Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Admi
he
ts to
Group
ensure
Policy
the template
structure `ErrorReporting.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
elated
he Group
to Windows
Policy template
Error Reporting
`ErrorReporting.admx/adml`
consent. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `ErrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `GameDVR.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer
he Group Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
ts to ensure the structure of Windows benchmarks is consistent.
_Microsoft Passport for Work_ but was renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Se
he Group
elated Policy template
to Windows `WindowsInkWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Installer.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `MSI.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Email and CCE-37524-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer:SafeForScripting
elated to Windows Logon Options.
```
he Group
ts to Policy
ensure the template
structure `WinLogon.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMail.admx/adml`
of Windows benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Adminis
consistent.
he Group
ts to Policy
ensure the template
structure `MediaCenter.admx/adml`
of Windows benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsCollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrat
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMessenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `MobilePCMobilityCenter.admx/adml`
of Windows benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Windows `MovieMaker.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templa
PowerShell.
he Group
ts to Policy
ensure the template
structure `PowerShellExecutionPolicy.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative T
he Group
elated Policy template
to Windows Remote`RacWmiProv.admx/adml`
Management (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
elated Policy
to the template
Windows `WindowsRemoteManagement.admx/adml`
Remote Management (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Windows `WindowsRemoteManagement.admx/adml`
Remote Management (WinRM) service. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the fo
he Group Policy template `WindowsRemoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Use Only SeCCE-37927-1
Windows Remote HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service:AllowAutoConfig
Shell (WinRS).
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the fo
he Group Policy template `WindowsRemoteShell.admx/adml`
New Remote Shell connections that is not
are included
allowedwith all are
and versions of the
rejected Microsoft
by the server.Windows Administrative Templates.
``` TITLE:Use Only SeCCE-36499-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS:AllowRemoteShellAccess
ts to ensure the **Note:**
structure of Windows On Serveris2012
benchmarks (non-R2) and higher, due to design changes in the OS after Server 2008 R2, configuring this set
consistent.
```
he Group
ts to Policy
ensure the template
structure `SideShow.admx/adml`
of Windows benchmarksthat is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windo
is consistent.
he Group
elated Policy template
to Windows Update.`SystemResourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 201
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `WindowsUpdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsUpdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
_Defer Windows
endations Updates_
from Group Policybut was renamedTemplates
Administrative by Microsoft to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Admin
(ADMX).
r Control Panel settings.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy template `AddRemovePrograms.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
r personalization settings.
he Group Policy template `ControlPanelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `ControlPanelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Desktop Themes_ but was renamed by Microsoft to _Personalization_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `Windows.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `Windows.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
he Group
r Start Policy
Menu andtemplate
Taskbar`SharedFolders.admx/adml`
settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r Notification template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
he Group Policy
r System template `WPN.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `CtrlAltDel.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `DeviceInstallation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `FolderRedirection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy template
to Internet `GroupPolicy.admx/adml`
Communication Management. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Internet `Windows.admx/adml`
Communication settings. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Users cannot participate in the Hel TITLE:Data Prote CCE-37542-8
HKEY_USERS\[USER
r Windows Component settings. SID]\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0:NoImplicitFeedback
``` structure of Windows benchmarks is consistent.
ts to ensure the
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure `AppXRuntime.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
of Windows benchmarks is consistent.
he Group
elated Policy template
to Attachment `AppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Manager.
he Group
ts to Policy
ensure the template
structure `AttachmentManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `AutoPlay.admx/adml`
of Windows benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `UserDataBackup.admx/adml` that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `CredUI.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or ne
consistent.
he Group
ts to Policy
ensure the template
structure `DataCollection.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Template
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Sidebar.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DWM.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `DigitalLocker.admx/adml`
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `EdgeUI.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group
ts to Policy
ensure the template
structure `FileRevocation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `EAIME.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
consistent.
he Group
ts to Policy
ensure the template
structure `CaptureWizard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administr
of Windows benchmarks is consistent.
he Group Policy template `WordWheel.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `InetRes.admx/adml`
of Windows benchmarks
thatisisconsistent.
included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `Sensors.admx/adml`
of Windows benchmarks
thatisisconsistent.
included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he
ts to
Group
ensure
Policy
the template
structure `MicrosoftEdge.admx/adml`
of Windows benchmarks is consistent.
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or ne
he
ts to
Group
ensure
Policy
the template
structure `MMC.admx/adml`
of Windows benchmarks
that is is
included
consistent.
with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `UserExperienceVirtualization.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administr
he Group
ts to Policy
ensure the template
structure `Conf.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
elated Policy template
to Network Sharing.`NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
he Group
ts to Policy
ensure the template
structure `Sharing.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `MobilePCPresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Terminal Services_ but was renamed by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
ts to Policy
ensure the template
structure `InetRes.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Search.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `SoundRec.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WinStoreUI.admx/adml`
of Windows benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and M
is consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `TaskScheduler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WinCal.admx/adml` that is consistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WindowsColorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `SmartScreen.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `ErrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
elated to Windows Installer.
_Microsoft Passport for Work_ but was renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Se
he Group
ts to Policy
ensure the template
structure `MSI.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WinLogon.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMail.admx/adml`
of Windows benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Adminis
consistent.
he Group
elated Policy template
to Windows `MediaCenter.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
Media Player.
he Group
ts to Policy
ensure the template
structure `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy template
to Windows `WindowsMediaPlayer.admx/adml`
Media Player playback. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Windows Media Player is prevented frTITLE:Inventory CCE-37445-4
HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer:PreventCodecDownload
```
ministrative Templates.
et.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/).
ministrative Templates.
ative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
dministrative Templates.
rative Templates.
strative Templates.
ministrative Templates.
ministrative Templates.
inistrative Templates.
Administrative Templates.
ministrative Templates.
istrative Templates.
Administrative Templates.
ministrative Templates.
ministrative Templates.
strative Templates.
ministrative Templates.
Administrative Templates.
strative Templates.
rough the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
strative Templates.
strative Templates.
strative Templates.
strative Templates.
strative Templates.
rative Templates.
istrative Templates.
ws Administrative Templates.
istrative Templates.
s Administrative Templates.
ministrative Templates.
ative Templates.
Administrative Templates.
s Administrative Templates.
strative Templates.
s Administrative Templates.
Administrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
dministrative Templates.
inistrative Templates.
hrough the Windows 10 Release 1511 Administrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
istrative Templates.
trative Templates.
2 Administrative
dows. Templates
Many of these (or newer).
mitigations were later coded directly into Windows 10 and Server 2016.
ompatibility testing is done on typical server configurations (including all CIS-recommended EMET settings) before widespread deployment to your environ
Microsoft will not update it any further past that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to S
8 (non-R2) Administrative Templates (or newer).
ministrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
Administrative Templates.
hrough the Windows 10 RTM (Release 1507) Administrative Templates.
& Server
ows 2012 (non-R2)
Administrative Administrative Templates.
Templates.
s Administrative Templates.
nistrative Templates.
tive Templates.
rative Templates.
8 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
ft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
h the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
nistrative Templates.
istrative Templates.
s Administrative Templates.
Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
istrative Templates.
ministrative Templates.
ministrative Templates.
12 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511
ministrative Templates.
s Administrative Templates.
ease 1507) Administrative Templates and Microsoft Windows 10 Release 1511 Administrative Templates.
istrative Templates.
Administrative Templates.
dows Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
ative Templates.
ministrative Templates.
strative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ws Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ws Administrative Templates.
1607 & Server 2016 Administrative Templates (or newer).
ministrative Templates.
ministrative Templates.
s Administrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
Administrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
& Server 2008 R2 Administrative Templates (or newer).
dministrative Templates.
inistrative Templates.
hrough Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Relea
trative Templates.
Administrative Templates.
dministrative Templates.
nistrative Templates.
trative Templates.
rative Templates.
through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
nistrative Templates.
ministrative Templates.
12 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsS
ministrative Templates.
s Administrative Templates.
istrative Templates.
s Administrative Templates.
1507) Administrative Templates (or newer).
ministrative Templates.
1 Account Policies accepted This section contains recommendations for account policies.
1.1 Password Policy accepted This section contains recommendations for password policy.
1.2 Account Lockout Paccepted This section contains recommendations for account lockout policy.
2 Local Policies accepted This section contains recommendations for local policies.
2.1 Audit Policy accepted This section is intentionally blank and exists to ensure the structure of Windo
2.2 User Rights Assi accepted This section contains recommendations for user rights assignments.
2.3 Security Options accepted This section contains recommendations for security options.
2.3.1 Accounts accepted This section contains recommendations related to default accounts.
2.3.2 Audit accepted This section contains recommendations related to auditing controls.
2.3.3 DCOM accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.4 Devices accepted This section contains recommendations related to managing devices.
2.3.5 Domain controller accepted This section contains recommendations related to Domain Controllers.
2.3.6 Domain member accepted This section contains recommendations related to domain membership.
2.3.7 Interactive logon accepted This section contains recommendations related tothe
To establish interactive logons.configu
recommended
This policy setting The
determines
numberwhether
that is assigned
a user can to this
log on
policy
to asetting
Windowsindicate
dom
2.3.7 2.3.7.6 (L2) Ensure 'Interaacceptedfull ```
The recommendedUsers state who
for this
access
setting
Computer
theis:computer
`4 or Configuration\Policies\Windo
fewer
console
logon(s)`.
will have their lo
2.3.8 Microsoft network accepted This section contains recommendations ``` related to configuring the Microsoft
2.3.9 Microsoft network accepted This section contains recommendations related to configuring the Microsoft
2.3.12 Recovery console accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.13 Shutdown accepted This section contains recommendations related to the Windows shutdown fu
2.3.14 System cryptogra accepted This section is intentionally blank and exists to ensure the structure of Windo
2.3.15 System objects accepted This section contains recommendations related to system objects.
2.3.16 System settings draft This section is intentionally blank and exists to ensure the structure of Windo
2.3.17 User Account Contaccepted This section contains recommendations related to User Account Control.
3 Event Log accepted This section is intentionally blank and exists to ensure the structure of Windo
4 Restricted Groups accepted This section is intentionally blank and exists to ensure the structure of Windo
5 System Services accepted This section is intentionally blank and exists to ensure the structure of Windo
6 Registry accepted This section is intentionally blank and exists to ensure the structure of Windo
7 File System accepted This section is intentionally blank and exists to ensure the structure of Windo
8 Wired Network (IEaccepted This section is intentionally blank and exists to ensure the structure of Windo
9 Windows Firewall accepted This section contains recommendations for configuring the Windows Firewa
9.1 Domain Profile accepted This section contains recommendations for the Domain Profile of the Windo
9.2 Private Profile accepted This section contains recommendations for the Private Profile of the Window
9.3 Public Profile accepted This section contains recommendations for the Public Profile of the Window
10 Network List Manaaccepted This section is intentionally blank and exists to ensure the structure of Windo
11 Wireless Network accepted This section is intentionally blank and exists to ensure the structure of Windo
12 Public Key Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
13 Software Restricti accepted This section is intentionally blank and exists to ensure the structure of Windo
14 Network Access Praccepted This section is intentionally blank and exists to ensure the structure of Windo
15 Application Controaccepted This section is intentionally blank and exists to ensure the structure of Windo
16 IP Security Policie accepted This section is intentionally blank and exists to ensure the structure of Windo
17 Advanced Audit Poaccepted This section contains recommendations for configuring the Windows audit fa
17.1 Account Logon accepted This section contains recommendations for configuring the Account Logon a
17.2 Account Managemaccepted This section contains recommendations for configuring the Account Manage
17.3 Detailed Tracking accepted This section contains recommendations for configuring the Detailed Tracking
17.4 DS Access accepted This section contains recommendations for configuring the Directory Service
17.5 Logon/Logoff accepted This section contains recommendations for configuring the Logon/Logoff aud
17.6 Object Access accepted This section contains recommendations for configuring the Object Access au
17.7 Policy Change accepted This section contains recommendations for configuring the Policy Change a
17.8 Privilege Use accepted This section contains recommendations for configuring the Privilege Use au
17.9 System accepted This section contains recommendations for configuring the System audit pol
18 Administrative Te accepted This section contains computer-based recommendations from Group Policy
This section contains recommendations for Control Panel settings.
18.1 Control Panel accepted
Group Policy
This section section
contains is provided by for
recommendations theControl
Group Policy template `Window
Panel personalization se
18.1.1 Personalization accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy template
Microsoft `Control
Local Adm
18.2 LAPS accepted
Group Policy
This section section
contains is provided
settings by the Group
for configuring Policy
additional template
settings from`AdmPw
the MS
18.3 MS Security Guid accepted
Group Policy
This section section
contains is provided by for
recommendations thethe
Group PolicySolutions
Microsoft template for
`SecGui
Secu
To establish the recommended configu
18.4 MSS (Legacy) accepted
Groupcontrols
This value Policy section is provided
how often by the to
TCP attempts Group
verifyPolicy template
that an `MSS-le
idle connection
``` establish the recommended configu
To
18.4 18.4.5 (L2) Ensure 'MSS: acceptedfull An attacker who is
Computer Configuration\Policies\Admin
The recommended
This setting is used state for this
to enable setting is:
or disable the`Enabled: 300,000
Internet Router or 5 minutes
Discovery Proto(
```
``` establish the recommended configu
To
18.4 18.4.7 (L2) Ensure 'MSS: acceptedfull An attacker who h
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This setting controlsstate for this setting
the number of timesis:that
`Disabled`.
TCP retransmits an individual
```
``` establish the recommended configu
To
18.4 18.4.10 (L2) Ensure 'MSS:acceptedfull A malicious user c
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This setting controlsstate for this setting
the number of timesis:that
`Enabled: 3`.
TCP retransmits an individual
```
```
18.4 18.4.11 (L2) Ensure 'MSS:acceptedfull A malicious user c
**Note:** This
Computer Group Policy path does
Configuration\Policies\Admin
The recommended
This section contains state for this setting is:
recommendations for`Enabled: 3`.
network settings.
```
18.5 Network accepted
**Note:** This Group Policy path does
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy
the template
structure `Window
of Windo
18.5.1 Background Intelli accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Bits.adm
of Windo
18.5.2 BranchCache accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `PeerTo
of Windo
18.5.3 DirectAccess Clie accepted
This Group
sectionPolicy section
contains is provided by related
recommendations the Group Policy
to DNS template `nca.adm
Client.
18.5.4 DNS Client accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DnsClie
of Windo
18.5.5 Fonts draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.5.6 Hotspot Authentic accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `hotspot
of Windo
18.5.7 Lanman Server accepted
This Group Policy section is provided by the Group Policy template `Lanman
This section is intentionally blank and exists to ensure the structure of Windo
18.5.8 Lanman Workstati draft
This section
Group Policy
containssection
recommendations
is providedTo byestablish
for
theLink-Layer
Groupthe PolicyTopology
template
recommended Discovery
`Lanman
configus
18.5.9 Link-Layer Topolo accepted This policy setting changes the operational behavior of the Mapper I/O netw
This Group Policy section is providedTo ```
byestablish
the Groupthe Policy template `LinkLay
recommended configu
18.5.9 18.5.9.1 (L2) Ensure 'Turn acceptedfull LLTDIO
This allows
policy a computer
setting To help protect
changes to
thediscover
fr Computer
the topology
operational Configuration\Policies\Admin
behavior ofofathe
network it's connect
Responder netwo
```
18.5.9 18.5.9.2 (L2) Ensure 'Turn acceptedfull The Responder
recommended allows
To
state
help
a computer
forprotect
this setting
frtoComputer
participate
is: `Disabled`.
Configuration\Policies\Admin
in Link Layer Topology Disc
This section contains recommendations **Note:**
```
To Thisthe
for Microsoft
establish Group Policy path
Peer-to-Peer
recommended is pro
Networki
configu
18.5.10 Microsoft Peer-to accepted recommended
The Peer state for Protocol
Name Resolution this setting is: `Disabled`.
(PNRP) allows for distributed resolution
This Group Policy section is provided``` **Note:**
by the GroupThis Group
Policy template
Policy path`P2P-pn
is pro
18.5.10 18.5.10. (L2) Ensure 'Turn acceptedfull Peer-to-Peer protocols
This allow
settingforenhan
applications
Computer in the
Configuration\Policies\Admin
areas of RTC, collaborat
This section is intentionally blank and``` exists to ensure the structure of Windo
18.5.10.1 Peer Name Resolut
accepted The recommended state for this setting is: `Enabled`.
Group Policy
This section containssection is provided**Note:**
recommendations by for
theNetwork
Group
This Group
Policy template
Policy path
Connections `P2P-pn
is pro
settings.
18.5.11 Network Connecti accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `Network
18.5.11.1 Windows Defenderaccepted This Group Policy section is provided by the Group Policy template `Window
This section is intentionally blank and exists to ensure the structure of Windo
18.5.12 Network Connectiviaccepted **Note:** This section was initially named _Windows Firewall_ but was rena
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy
the template
structure `NCSI.a
of Windo
18.5.13 Network Isolation accepted
Group Policy
This section section
contains is provided by for
recommendations theNetwork
Group Policy template
Provider `Network
settings.
18.5.14 Network Provider accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Network
of Windo
18.5.15 Offline Files accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `OfflineF
of Windo
18.5.16 QoS Packet Schedaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `QOS.ad
of Windo
18.5.17 SNMP accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Snmp.a
of Windo
18.5.18 SSL Configurationaccepted
Group Policy
This section section
contains is provided
TCP/IP by thesettings.
configuration Group Policy template `CipherS
18.5.19 TCPIP Settings accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group
ensurePolicy
the template
structure `tcpip.ad
of Windo
18.5.19.1 IPv6 Transition T accepted To establish the recommended configu
Group Policy
This section section
contains is provided
TCP/IP parameter by configuration
the Group Policy template `tcpip.ad
settings.
18.5.19.2 Parameters accepted ```
This Group
Internet Policyversion
Protocol section6is(IPv6)
provided by the Group Policy
is aHKEY_LOCAL_MACHINE\SYSTEM\C
set of protocols template `tcpip.ad
that computers use to
18.5.19. 18.5.19.2(L2) Disable IPv6 acceptedfull Since the vast maj```
The recommended
This section containsstate for this setting
recommendations To is:
for`DisabledComponents
Windows
establish the Connect Now
recommended - 0xff (255
settings.
configu
18.5.20 Windows Connect accepted **Note:** This change does not take ef
Group setting
This policy Policy section is provided
allows the byestablish
configuration
```
To the
ofGroup
wirelessPolicy
the template
settings
recommendedusing`Window
Window
configu
18.5.20 18.5.20. (L2) Ensure 'Confi acceptedfull **Note #2:**
This setting enhanComputer Although Microsoft does n
Configuration\Policies\Admin
The recommended
This state foraccess
policy setting prohibits this setting
to``` is: `Disabled`.
Windows Connect Now (WCN) wizard
18.5.20 18.5.20. (L2) Ensure 'Prohi acceptedfull Allowing standard Computer Configuration\Policies\Admin
The recommended
This section containsstate
recommendations **Note:**
for this setting
```
To is: Thisthe
for`Enabled`.
Windows
establish Group Policy path
Connection
recommended is pros
Manager
configu
18.5.21 Windows Connect accepted
Group setting
This policy Policy section
preventsiscomputers **Note:**
provided```by This Group
the connecting
from Group Policy Policya path
to template
both mayban
`WCM.a
domain
18.5.21 18.5.21. (L2) Ensure 'Prohi acceptedfull The potential concComputer Configuration\Policies\Admin
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists to ensure the structure of Windo
18.6 Printers accepted
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may
`Windown
Windo
18.7 Start Menu and T accepted
Group Policy
This section section
contains is provided by for
recommendations theSystem
Group Policy template `Window
settings.
18.8 System accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.1 Access-Denied Asaccepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
18.8.2 App-V accepted
This Group
sectionPolicy section
contains is provided
settings byauditing
related to the Group Policy template
of process creation`appv.ad
events.
18.8.3 Audit Process Cre accepted
Group Policy
This section section
contains is provided
settings byCredential
related to the Group Delegation.
Policy template `AuditSe
18.8.4 Credentials Deleg accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CredSs
of Windo
18.8.5 Device Guard accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DeviceG
of Windo
18.8.6 Device Health Atteaccepted
This Group Policy section is provided by the Group Policy template `TPM.ad
This section is intentionally blank and exists to ensure the structure of Windo
18.8.7 Device Installationdraft
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DeviceI
of Windo
18.8.8 Device Redirectio accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DeviceR
of Windo
18.8.9 Disk NV Cache accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskNV
of Windo
18.8.10 Disk Quotas accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `DiskQu
of Windo
18.8.11 Display accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Display
of Windo
18.8.12 Distributed COM accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DCOM.
of Windo
18.8.13 Driver Installation accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy template
boot-start `DeviceI
driver initia
18.8.14 Early Launch Anti accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `EarlyLa
of Windo
18.8.15 Enhanced Storageaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Enhanc
of Windo
18.8.16 File Classification accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `srm-fci.
of Windo
18.8.17 File Share Shado accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `FileServ
of Windo
18.8.18 File Share Shado accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy templates `FileSe
18.8.19 Filesystem (forme accepted This Group Policy section is provided by the Group Policy template `FileSys
This section is intentionally blank and exists to ensure the structure of Windo
18.8.20 Folder Redirectionaccepted **Note:** This section was initially named _NTFS Filesystem_ but was renam
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy template
group `FolderR
policy-related
18.8.21 Group Policy accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `GroupP
of Windo
18.8.21.1 Logging and traci accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Internet `GroupPM
Communication
18.8.22 Internet Communi accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related tothePolicy
Internet template `Window
Communication
recommended configus
18.8.22.1 Internet Communicaccepted This setting turns off data sharing from the handwriting recognition personal
This Group Policy section is providedTo byestablish
``` the Groupthe Policy template `Window
recommended configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The handwriting
Turns recognition
A person's
off the handwriting personalization
handwriComputer
recognition toolConfiguration\Policies\Admin
enables
error reporting tool. Tablet PC users to
``` establish the recommended configu
To
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull recommended
The handwriting Astate
recognitionfor this
person's errorsetting
handwri is: `Enabled`.
reporting
Computer tool Configuration\Policies\Admin
enables users to report error
This policy setting specifies whether the **Note:**
```
To InternetThis
establish Group
Connection
the Policy
recommended pathcan
Wizard may n
con
configu
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull The recommendedInstate for this setting
an enterprise is: `Enabled`.
m Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting
the
```
To is: Thisthe
`Enabled`.
Windows
establish Group Policy
Registration
recommended pathconfigu
Wizard isconn
pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull Users in an enterpComputer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting is:
Search
```
To Thisthe
`Enabled`.
Companion
establish Group Policyautomatical
should
recommended pathconfigu
is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn acceptedfull This policy setting There is awhether
specifies small r the
Computer
"Order Configuration\Policies\Admin
Prints Online" task is availab
The recommended state for this setting **Note:**
```
To is: Thisthe
`Enabled`.
establish Group Policy pathconfigu
recommended is pro
18.8.22. 18.8.22.1(L2) Ensure 'Turn oacceptedfull The Order Prints Online
In an enterprise
Wizard is used
m Computer
to download
Configuration\Policies\Admin
a list of providers and a
This policy setting specifies whether the **Note:**
```
To Thisthe
tasks Publish
establish Group
this Policy pathWeb,
file to the
recommended is pro
P
configu
18.8.22. 18.8.22. (L2) Ensure 'Turn oacceptedfull The recommendedUsers state may
for this setting
publish c is: `Enabled`.
Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting is:
Windows
```
To Thisthe
`Enabled`. Group
Messenger
establish Policy
can
recommended pathconfigu
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Large enterprise Computer Configuration\Policies\Admin
The recommended
This state for whether
policy setting specifies **Note:**
this setting is:
Windows
```
To Thisthe
`Enabled`. Group
Messenger
establish Policy
can
recommended pathconfigu
collect is pro
anony
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull This policy setting Large
controlsenterprise
whether orComputer
not errorsConfiguration\Policies\Admin
are reported to Microsoft.
Microsoft uses information collected through **Note:**the
``` This Group Policy
Windows Customer pathExperie
is pro
18.8.22. 18.8.22. (L2) Ensure 'Turn acceptedfull Error Reporting is used
If a Windows
to reportError
information
Computer about
Configuration\Policies\Admin
a system or application th
This section is intentionally blank and``` **Note:**
exists to This
ensureGroup Policy path
the structure of is pro
Windo
18.8.23 iSCSI accepted The recommended state for this setting is: `Enabled`.
This Group
sectionPolicy section isblank
is intentionally and**Note:**
provided by the to
exists This
Group
ensureGroup
Policy Policy path
the template
structure of is pro
`iSCSI.a
Windo
18.8.24 KDC accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `KDC.ad
of Windo
18.8.25 Kerberos draft
Group Policy
This section section
contains is providedTo
recommendations byestablish
theLocale
for Groupthe
Policy
Servicestemplate `Kerbero
settings.
recommended configu
18.8.26 Locale Services accepted
Group prevents
This policy Policy section is provided
automatic copying byofthe
``` Group
user inputPolicy template
methods to the`Globaliz
system
18.8.26 18.8.26. (L2) Ensure 'Disal acceptedfull This is a way to i Computer Configuration\Policies\Admin
The recommended
This state
section contains for this setting
recommendations ``` is: `Enabled`.
related to the logon process and loc
18.8.27 Logon accepted
This Group Policy section is provided**Note:** This Group
by the Group Policy path
Policy template may n
`Logon.a
This section is intentionally blank and exists to ensure the structure of Windo
18.8.28 Mitigation Options draft
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `GroupP
of Windo
18.8.29 Net Logon accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Netlogo
of Windo
18.8.30 OS Policies accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `OSPolic
of Windo
18.8.31 Performance Contraccepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `PerfCen
of Windo
18.8.32 PIN Complexity accepted
Group Policy
This section section
contains is provided by for
recommendations thePower
GroupManagement
Policy template `Passpo
settings.
18.8.33 Power Managemeaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.1 Button Settings accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.2 Energy Saver Settaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.3 Hard Disk Setting accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.4 Notification Settin accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Power.a
of Windo
18.8.33.5 Power Throttling Saccepted
Group Policy
This section section
contains is provided by related
recommendations the Group PolicyManagement
to Power template `Power.a
Slee
18.8.33.6 Sleep Settings accepted
Group setting
section
This policy Policy section
controlsishow
is intentionally provided
blank and
the by the
exists
RPC Group
to
server Policy
ensure the
runtime template
structure
handles `Power.a
of Windo
unauthentic
18.8.34 Recovery accepted
Group setting
section
This policy Policy section
contains isallprovided
recommendations
impacts by related
the Group
RPC applications. to aPolicy
InRemote
domaintemplate `ReAgen
Assistance.
environment th
18.8.35 Remote Assistanc accepted
This
A Group
section
client Policy
will be section
contains
considered is
anprovided
recommendations byestablish
theclient
Group
related
authenticated
To tothe Policy
ifRemote
it usestemplate
named`Remote
aProcedure
recommended Call.
pipe
configu
to
18.8.36 Remote Procedureaccepted
This
-- Group Policy
"**None**" allowssection
all RPCis clients
provided by
to``` the Group
connect Policy
to RPC template
Servers `RPC.ad
running on th
18.8.36 18.8.36. (L2) Ensure 'Restracceptedfull Unauthenticated RComputer Configuration\Policies\Admin
-- "**Authenticated**"
This allowsblank
section is intentionally only authenticated
and``` RPC Clients
exists to ensure (per theofdefiniti
the structure Windo
18.8.37 Removable Storagaccepted
-- "**Authenticated
This Group Policy
section withoutisexceptions**"
section
is intentionally blank and**Note:**
provided by allows
the
exists This
onlyGroup
Group
to authenticated
Policy
ensure Policy path
the template
structureRPC
of may
Clie
`Removan
Windo
18.8.38 Scripts accepted
**Note:**
This GroupThis
section is policy
Policy setting
section
intentionally will
isblanknot
provided
andbeby
applied
the to
exists until
Group
ensurethe system
Policy
the is rebooted.
template
structure `Scripts.
of Windo
18.8.39 Server Manager accepted
The recommended
This Group Policy
section state for
section
is intentionally this
isblank setting
provided
and by is:
the
exists`Enabled:
Group
to Authenticated`.
Policy
ensure the template
structure `ServerM
of Windo
18.8.40 Shutdown accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `WinInit.
of Windo
18.8.41 Shutdown Optionsaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Winsrv.
of Windo
18.8.42 Storage Health accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Storage
of Windo
18.8.43 System Restore accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template and
to Troubleshooting `System
Diag
18.8.44 Troubleshooting a accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.8.44.1 Application Compataccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `pca.adm
of Windo
18.8.44.2 Corrupted File Re accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `FileRec
of Windo
18.8.44.3 Disk Diagnostic accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DiskDia
of Windo
18.8.44.4 Fault Tolerant He accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
the template
Microsoft
recommended `fthsvc.a
Support Dia
configu
18.8.44.5 Microsoft Support accepted
This Group Policy section
policy setting is provided
configures Microsoft bySupport
``` the Group Policy template
Diagnostic `MSDT.a
Tool (MSDT) inte
18.8.44. 18.8.44.5(L2) Ensure 'Microacceptedfull Due to privacy conComputer Configuration\Policies\Admin
The
This recommended state forblank
section is intentionally this setting
and``` is: `Disabled`.
exists to ensure the structure of Windo
18.8.44.6 MSI Corrupted Fil accepted
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of may n
`Msi-File
Windo
18.8.44.7 Scheduled Mainte accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `sdiagsc
of Windo
18.8.44.8 Scripted Diagnost accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `sdiagen
of Windo
18.8.44.9 Windows Boot Peraccepted
This Group Policy section is provided by the Group Policy template `Perform
This section is intentionally blank and exists to ensure the structure of Windo
18.8.44.10 Windows Memory accepted
This section
Group Policy
contains
section
recommendations
is providedTo
byestablish
related
the Group
tothe
Windows
Policy template
Performance
recommended `LeakDia
Pe
configu
18.8.44.11 Windows Performaaccepted
This policy
Group setting
Policy section
specifies
is whether
providedto```
byenable
the Group
or disable
Policytracking
template
of`Perform
respons
18.8.44. 18.8.44. (L2) Ensure 'Enablacceptedfull When enabled the Computer
a Configuration\Policies\Admin
The recommended
This section is intentionally
state forblank
this setting
and```
exists
is: `Disabled`.
to ensure the structure of Windo
18.8.45 Trusted Platform accepted
This section
Group Policy
contains
section
recommendations**Note:**
is providedTo This
byestablish
related
the Group Group
tothe
User
Policy Policy path
Profiles.
template
recommended may n
`TPM.ad
configu
18.8.46 User Profiles accepted
Group setting
This policy Policy section
turns offisthe
provided by the
advertising
``` ID,Group Policyapps
preventing template
from`UserPro
using th
18.8.46 18.8.46. (L2) Ensure 'Turn oacceptedfull Tracking user acti Computer Configuration\Policies\Admin
The recommended
This state forblank
section is intentionally this setting
and``` is: `Enabled`.
exists to ensure the structure of Windo
18.8.47 Windows File Prot accepted
Group Policy
This section section isblank
is intentionally provided
and**Note:**
by the to
exists Group
This Group
Policy
ensure the template
Policy path
structure `Window
of may n
Windo
18.8.48 Windows HotStart accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Windows Time`HotStar
Servic
18.8.49 Windows Time Seraccepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Time template `W32Tim
Providers.
recommended configu
18.8.49.1 Time Providers accepted
Group setting
This policy Policy section
specifies is whether
providedthe
byestablish
```
To the Groupthe
Windows Policy
NTP template
Client `W32Tim
is enabled.
recommended En
configu
18.8.49. 18.8.49.1(L2) Ensure 'Enablacceptedfull This policy setting A reliable
allows youand acc Computer
to specify whetherConfiguration\Policies\Admin
the Windows NTP Server is
The recommended state for this setting ``` is: `Enabled`.
18.8.49. 18.8.49.1(L2) Ensure 'Enablacceptedfull The recommendedThe stateconfiguration
for this setting
Computer
is: `Disabled`.
Configuration\Policies\Admin
This section contains recommendations **Note:**
``` This Group
for Windows Policy path
Component is pro
settings.
18.9 Windows Componaccepted **Note:** In most enterprise managed environments, you should _not_ disab
Group Policy
This section section isblank
is intentionally and**Note:**
provided by the to
exists This
Group Group
Policy
ensure Policy path
the template
structure of is pro
`Window
Windo
18.9.1 Active Directory F accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `adfs.ad
of Windo
18.9.2 ActiveX Installer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `ActiveX
18.9.3 Add features to W accepted This Group Policy section is provided by the Group Policy template `Window
This section is intentionally blank and exists to ensure the structure of Windo
18.9.4 App Package Dep draft **Note:** This section was initially named _Windows Anytime Upgrade_ but
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `AppxPa
of Windo
18.9.5 App Privacy accepted
Group Policy
This section section
contains is provided by for
recommendations theApp
Group Policysettings.
runtime template `AppPriv
18.9.6 App runtime accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `AppXRu
of Windo
18.9.7 Application Compataccepted
Group Policy
This section section
contains is provided by for
recommendations theAutoPlay
Group Policy template `AppCom
policies.
18.9.8 AutoPlay Policies accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `AutoPla
of Windo
18.9.9 Backup accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `UserDa
of Windo
18.9.10 Biometrics draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Biometr
of Windo
18.9.11 BitLocker Drive Enaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Volume
of Windo
18.9.12 Camera draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Camera
of Windo
18.9.13 Cloud Content draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CloudC
of Windo
18.9.14 Connect draft
Group Policy
This section section
contains is provided by related
recommendations the Group Policy
to the template
Credential `Wireles
User Interf
18.9.15 Credential User In accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CredUI.
of Windo
18.9.16 Data Collection a draft
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
18.9.17 Delivery Optimizataccepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Delivery
of Windo
18.9.18 Desktop Gadgets draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Sidebar
of Windo
18.9.19 Desktop Window accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DWM.a
of Windo
18.9.20 Device and Driver accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `DeviceC
18.9.21 Device Registratioaccepted This Group Policy section is provided by the Group Policy template `Workpla
**Note:** This section was initially named _Workplace Join_ but was rename
is intentionally
This section contains blank and exists
recommendations to ensure the
for configuring structure
Microsoft of Windo
Enhanced
18.9.22 Digital Locker accepted
sectionPolicy
This Group is intentionally
section isblank and by
provided exists
the to ensure
Group the template
Policy structure `EMET.a
`DigitalL
of Windo
18.9.23 Edge UI accepted
This Group
EMET is free
Policy
and supported
section is provided
security software
by the Group
developed
Policyby
template
Microsoft
`EdgeUI
that a
18.9.24 EMET accepted
**Note:**
This section
Although
is intentionally
EMET isblank
quite and
effective
existsattoenhancing
ensure the
exploit
structure
protection
of Windo
on
18.9.25 Event Forwarding accepted
**Note
This #2:**Policy
Group
section EMETsection
has
contains been reportedby
recommendations
is provided tofor
beconfiguring
the very
Groupproblematic
Policy on 32-bit
thetemplate
Event Log OSes
`EventFo
Servic
18.9.26 Event Log Serviceaccepted
**Note
This #3:**Policy
Group
section Microsoft
contains has isannounced
section that
provided by
recommendations theEMET
for Groupwill bethe
Policy
configuring End-Of-Life
template (EOL)
`EventLo
Application Even
18.9.26.1 Application accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy
thetemplate
Security `EventLo
Event L
18.9.26.2 Security accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy
thetemplate `EventLo
Setup Event Log
18.9.26.3 Setup accepted
Group Policy
This section section
contains is provided by for
recommendations theconfiguring
Group Policy
thetemplate `EventLo
System Event Lo
18.9.26.4 System accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `EventLo
of Windo
18.9.27 Event Logging accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `EventLo
of Windo
18.9.28 Event Viewer accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `EventV
18.9.29 Family Safety (for accepted Group Policy
This section section
contains is provided by to
recommendations thecontrol
Groupthe
Policy template
availability of `Parenta
options
**Note:** This section was initially named _Defer Windows Updates_ but wa
19 Administrative Te accepted This section contains user-based recommendations from Group Policy Adm
This section contains recommendations for Control Panel settings.
19.1 Control Panel accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Window
of Windo
19.1.1 Add or Remove P accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `AddRem
of Windo
19.1.2 Display accepted This section contains recommendations for personalization settings.
This Group Policy section is provided by the Group Policy template `Control
19.1.3 Personalization ( accepted This Group Policy section is provided by the Group Policy template `Control
This section is intentionally blank and exists to ensure the structure of Windo
19.2 Desktop accepted **Note:** This section was initially named _Desktop Themes_ but was renam
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.3 Network accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.4 Shared Folders accepted
Group Policy
This section section
contains is provided by for
recommendations theStart
Group Policy
Menu andtemplate
Taskbar`Shared
settings
19.5 Start Menu and T accepted
Group Policy
This section section
contains is provided by for
recommendations theNotification
Group Policy template `Window
settings.
19.5.1 Notifications accepted
Group Policy
This section section
contains is provided by for
recommendations theSystem
Group Policy template `WPN.ad
settings.
19.6 System accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.6.1 Ctrl+Alt+Del Opti accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CtrlAltD
of Windo
19.6.2 Driver Installation accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DeviceI
of Windo
19.6.3 Folder Redirectionaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `FolderR
of Windo
19.6.4 Group Policy accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Internet `GroupPM
Communication
19.6.5 Internet Communi accepted
Group Policy
This section section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Internet template `Window
Communication
recommended configus
19.6.5.1 Internet Communicaccepted
Group setting
This policy Policy section is whether
specifies providedusers
by the
``` Group
can Policy template
participate `Window
in the Help Exper
19.6.5.1 19.6.5.1. (L2) Ensure 'Turn acceptedfull Large enterprise User Configuration\Policies\Administra
The recommended
This section containsstate for this setting
recommendations ``` is:
for`Enabled`.
Windows Component settings.
19.7 Windows Componaccepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided**Note:**
by the GroupThis Group Policy path
Policy template is pro
`Window
19.7.1 Add features to W accepted This Group Policy section is provided by the Group Policy template `Window
This section is intentionally blank and exists to ensure the structure of Windo
19.7.2 App runtime accepted **Note:** This section was initially named _Windows Anytime Upgrade_ but
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `AppXRu
of Windo
19.7.3 Application Compataccepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Attachment `AppCom
Manager.
19.7.4 Attachment Managaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Attachm
of Windo
19.7.5 AutoPlay Policies accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `AutoPla
of Windo
19.7.6 Backup accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `UserDa
of Windo
19.7.7 Cloud Content draft
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CloudC
of Windo
19.7.8 Credential User In accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `CredUI.
of Windo
19.7.9 Data Collection a accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DataCo
of Windo
19.7.10 Desktop Gadgets accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Sidebar
of Windo
19.7.11 Desktop Window accepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DWM.a
of Windo
19.7.12 Digital Locker accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `DigitalL
of Windo
19.7.13 Edge UI accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `EdgeUI
19.7.14 File Explorer (for accepted This Group Policy section is provided by the Group Policy template `Window
This section is intentionally blank and exists to ensure the structure of Windo
19.7.15 File Revocation accepted **Note:** This section was initially named _Windows Explorer_ but was rena
This Group Policy section is provided by the Group Policy template `FileRev
This section is intentionally blank and exists to ensure the structure of Windo
19.7.16 IME accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `EAIME.
of Windo
19.7.17 Import Video accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `Capture
of Windo
19.7.18 Instant Search accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `WordW
of Windo
19.7.19 Internet Explorer accepted
This section
Group Policy
is intentionally
section isblank
provided
and by
exists
the to
Group
ensure
Policy
the template
structure `InetRes
of Windo
19.7.20 Location and Sensaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Sensors
of Windo
19.7.21 Microsoft Edge accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Microso
of Windo
19.7.22 Microsoft Manage accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `MMC.a
of Windo
19.7.23 Microsoft User Expaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `UserEx
of Windo
19.7.24 NetMeeting accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Conf.ad
of Windo
19.7.25 Network Projector accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Network Sharing.`Network
19.7.26 Network Sharing accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Sharing
of Windo
19.7.27 Presentation Setti accepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `MobileP
19.7.28 Remote Desktop Se
accepted This Group Policy section is provided by the Group Policy template `Termina
This section is intentionally blank and exists to ensure the structure of Windo
19.7.29 RSS Feeds accepted **Note:** This section was initially named _Terminal Services_ but was rena
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `InetRes
of Windo
19.7.30 Search accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Search.
of Windo
19.7.31 Sound Recorder accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `SoundR
of Windo
19.7.32 Store accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `WinSto
of Windo
19.7.33 Tablet PC accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.7.34 Task Scheduler accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `TaskSc
of Windo
19.7.35 Windows Calenda accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `WinCal
of Windo
19.7.36 Windows Color S accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.7.37 Windows Defendeaccepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `SmartS
of Windo
19.7.38 Windows Error Reaccepted This section is intentionally blank and exists to ensure the structure of Windo
This Group Policy section is provided by the Group Policy template `ErrorRe
19.7.39 Windows Hello for accepted This Group Policy section is provided by the Group Policy template `Passpo
This section contains recommendations related to Windows Installer.
19.7.40 Windows Installer accepted **Note:** This section was initially named _Microsoft Passport for Work_ but
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `MSI.adm
of Windo
19.7.41 Windows Logon Op
accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `WinLog
of Windo
19.7.42 Windows Mail accepted
Group Policy
This section section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.7.43 Windows Media C accepted
Group Policy
This section section
contains is provided by related
recommendations the Group Policy template
to Windows `MediaC
Media Player.
19.7.44 Windows Media Placcepted
This Group
sectionPolicy section isblank
is intentionally provided
and by the to
exists Group Policy
ensure the template
structure `Window
of Windo
19.7.44.1 Networking accepted
This Group
sectionPolicy section
contains is providedTo
recommendations byestablish
the Group
related Policy
tothe
Windows template `Window
Media Player
recommended pl
configu
19.7.44.2 Playback accepted
Group Policy
This setting section
controls is provided
whether Windows byMedia
``` the Group
PlayerPolicy template
is allowed `Window
to download
19.7.44. 19.7.44.2(L2) Ensure 'Preveacceptedfull This has some potenUser Configuration\Policies\Administra
The recommended state for this setting``` is: `Enabled`.
r account policies.
r password policy.
r security options.
he Group Policy
r Control template `Windows.admx/adml`
Panel personalization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring template
Microsoft `ControlPanelDisplay.admx/adml`
Local that(LAPS).
Administrator Password Solution is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
he
ng Group Policy
additional template
settings from`AdmPwd.admx/adml` that is included with LAPS.
the MS Security Guide.
he Group
r the PolicySolutions
Microsoft template for
`SecGuide.admx/adml`
Security (MSS) settings.that is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2017/08/30/secu
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `MSS-legacy.admx/adml` that is available from this TechNet blog post: [The MSS settings – Microsoft Security Guidance blog](ht
```
Navigate to the UI Keep-alive packets
Path articulated areRemediation
in the not sent by dsection
TITLE:Limitation
and confirmCCE-36868-8
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:KeepAliveTime
```
```
Navigate to the UI Windows will notinautomatically
Path articulated the Remediationdete section
TITLE:Limitation
and confirmCCE-38065-9
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:PerformRouterDiscovery
```
```
Navigate to the UI TCP
Path starts a retransmission
articulated timer whTITLE:Limitation
in the Remediation section and confirmCCE-37846-3
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:TcpMaxDataRetransmissions
```
``` TCP starts a retransmission timer whTITLE:Limitation CCE-36051-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:TcpMaxDataRetransmissions
r network settings.
```
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml`
of Windows benchmarks thatis is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Bits.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `PeerToPeerCaching.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
elated Policy
to DNS template `nca.admx/adml` that is included with the Microsoft 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Client.
he Group
ts to Policy
ensure the template
structure `DnsClient.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `GroupPolicy.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
consistent.
he Group
ts to Policy
ensure the template
structure `hotspotauth.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
consistent.
he Group Policy template `LanmanServer.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
ts to ensure the structure of Windows benchmarks is consistent.
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnDomain
he
r Link-Layer
Group Policy
Topology
template
Discovery
`LanmanWorkstation.admx/adml`
settings. that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnDomain
```
he Group Policy template `LinkLayerTopologyDiscovery.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowLLTDIOOnPublicNet
```
None - this is the default behavior. TITLE:Limitation CCE-38170-7
```
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:AllowRspndrOnPublicNet
None - this is the default behavior. TITLE:Limitation CCE-37959-4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableLLTDIO
```
r Microsoft Peer-to-Peer Networking Services settings.
```
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:EnableRspndr
he Group Policy template `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitLLTDIOOnPrivateNet
```
``` Microsoft Peer-to-Peer Networking Ser TITLE:Limit Open CCE-37699-6
```
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet:Disabled
ts to ensure the structure of Windows benchmarks is consistent.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD:ProhibitRspndrOnPrivateNet
```
```
he Group Policy
r Network templatesettings.
Connections `P2P-pnrp.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `NetworkConnections.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsFirewall.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Firewall_ but was renamed by Microsoft to _Windows Defender Firewall_ starting with the Microsoft Windows 10 Release 1709 Administrative T
he Group
ts to Policy
ensure the template
structure `NCSI.admx/adml`
of Windows benchmarksthat is is
included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r Network template
Provider `NetworkIsolation.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates
settings.
he Group
ts to Policy
ensure the template
structure `NetworkProvider.admx/adml` that is included with the [MS15-011](https://technet.microsoft.com/library/security/MS15-011) / [MS
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `OfflineFiles.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `QOS.admx/adml` that is is
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Snmp.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
nhesettings.
Group Policy template `CipherSuiteOrder.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `tcpip.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group Policy
onfiguration template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
settings.
Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. E
he Group Policy template `tcpip.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Navigate to the UIReThis
Pathregistry change
articulated in theis Remediation
documented section
inTITLE:Limitation
Microsoft Knowledge
and
and confirm Control
it is Base
set asarticle
of Network
929852:
prescribed.Ports,
[How
This Protocols,
to disable
group policyandIPv6
Services
settingorisits components
CONTROL:9
backed in
by the fo
r Windows Connect Now settings.
``` **Note:** This registry change does not take effect until the next reboot.
he Group Policy template `WindowsConnectNow.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:EnableRegistrars
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableUPnPRegistrar
Navigate to the UI WCN operationsinare
Path articulated thedisabled over alTITLE:Configure
Remediation section and confirmOn
CCE-37481-9
it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableInBand802DOT11Registrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableFlashConfigRegistrar
``` The WCN wizards are turned off and TITLE:Configure
us On
CCE-36109-7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars:DisableWPDRegistrar
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI:DisableWcnUi
r Windows Connection Manager settings.
```
Navigate to the UI The
Pathcomputer
articulated
responds
in the Remediation
to automaticsection
and manual
and confirm
networkit is
connection
set as prescribed.
attempts This
basedgroup
on the
policy
following
settingcircumstances:
is backed by the fo
he Group Policy template `WCM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
``` _Automatic connection attempts_ - When TITLE:Boundary
the computer CCE-37627-7
is already connected to a domain based network, all automatic con
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy:fBlockNonDomain
ts to ensure the structure of Windows benchmarks is consistent.
``` _Manual connection attempts_ - When the computer is already connected to either a non-domain based network or a doma
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml`
of Windows benchmarks that
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r System template `Windows.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `srm-fci.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
uditing Policy template
of process creation`appv.admx/adml`
events. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
he Group Delegation.
redential Policy template `AuditSettings.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer
he Group
ts to Policy
ensure the template
structure `CredSsp.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `DeviceGuard.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
consistent.
he Group Policy template `TPM.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `DeviceInstallation.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `DeviceRedirection.admx/adml`
of Windows benchmarks is consistent.
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
he
ts to
Group
ensure
Policy
the template
structure `DiskNVCache.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `DiskQuota.admx/adml`
of Windows benchmarksthat
is consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Display.admx/adml` that is
of Windows benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DCOM.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group Policy
r configuring template
boot-start `DeviceInstallation.admx/adml`
driver initialization settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `EarlyLaunchAM.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `EnhancedStorage.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `srm-fci.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
ts to Policy
ensure the template
structure `FileServerVSSAgent.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templa
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy templates `FileServerVSSProvider.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group Policy template `FileSys.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_NTFS Filesystem_ but was renamed by Microsoft to _Filesystem_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group Policy
r configuring template
group `FolderRedirection.admx/adml`
policy-related settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `GroupPolicy.admx/adml`
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated Policy template
to Internet `GroupPolicyPreferences.admx/adml`
Communication Management. that is included with the Microsoft Windows Server 2008 (non-R2) Administrative Template
he Group
elated Policy template
to Internet `Windows.admx/adml`
Communication settings. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Tablet PC users in
Path articulated cannot choose to sha
the Remediation TITLE:Data
section Prote CCE-37911-5
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC:PreventHandwritingDataSharing
```
```
Navigate to the UI Users cannot start
Path articulated handwriting rec
in the Remediation TITLE:Data
section Prote CCE-36203-8
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports:PreventHandwritingErrorReports
```
```
Navigate to the UI The
Path"Choose a list
articulated of Internet
in the Servicsection
Remediation TITLE:Data Prote CCE-37163-3
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard:ExitOnMSICW
```
```
Navigate to the UI Users are blocked
Path articulated in from connecting to
the Remediation Microsoft.com
section forCCE-36352-3
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration
Search Companion does not download content updates during Wizard Control:NoRegistration
searches.
```
```
Navigate to the UI Path articulated in the Remediation section TITLE:Data Prote CCE-36884-5
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion:DisableContentFileUpdates
**Note:** Internet searches will still send the search text and information about the search to Microsoft and the chosen sear
```
```
Navigate to the UI The
Pathtask "Order Prints
articulated Online" is remTITLE:Data
in the Remediation Prote CCE-38275-4
section and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoOnlinePrintsWizard
```
```
Navigate to the UI The
Path"Publish to Web"
articulated in thetask is removed
Remediation TITLE:Data
section Prote CCE-37090-8
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:NoPublishingWizard
```
```
Navigate to the UI Windows Messenger
Path articulated in thewill not collect section
Remediation us
TITLE:Data Prote CCE-36628-6
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client:CEIP
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
```
``` All users are opted out of the Win TITLE:Data Prote CCE-36174-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows:CEIPEnable
```
``` Users are not given the option to repoTITLE:Data Prote CCE-35964-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting:Disabled
ts to ensure the structure of Windows benchmarks is consistent.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting:DoReport
```
he
ts to ensure the template
Group Policy structure `iSCSI.admx/adml`
of Windows benchmarks that isisincluded with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `KDC.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or newer).
is consistent.
he GroupServices
r Locale Policy template `Kerberos.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Globalization.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Users will have input methods enableTITLE:Ensure Work CCE-36343-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control
elated to the logon process and lock screen. Panel\International:BlockUserInputMethodsForSignIn
```
he Group Policy template `Logon.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `GroupPolicy.admx/adml`
of Windows benchmarks isthat
consistent.
is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newe
he
ts to
Group
ensure
Policy
the template
structure `Netlogon.admx/adml`
of Windows benchmarksthat
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `OSPolicy.admx/adml`
of Windows benchmarksthat
is is
consistent.
included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he
ts to
Group
ensure
Policy
the template
structure `PerfCenterCPL.admx/adml`
of Windows benchmarks is consistent.
that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non
he GroupManagement
r Power Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or ne
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated PolicyManagement
to Power template `Power.admx/adml`
Sleep mode. that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `Power.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated Policy template
to Remote `ReAgent.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Assistance.
he Group
elated Policy template
to Remote Procedure`RemoteAssistance.admx/adml`
Call. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `RPC.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Only authenticated RPC Clients will TITLE:Limit Open CCE-36559-3
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. NT\Rpc:RestrictRemoteClients
```
he Group
ts to Policy
ensure the template
structure `RemovableStorage.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Scripts.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `ServerManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WinInit.admx/adml` that is
of Windows benchmarks is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)
consistent.
he Group
ts to Policy
ensure the template
structure `Winsrv.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `StorageHealth.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
of Windows benchmarks is consistent.
he Group
elated Policy template and
to Troubleshooting `SystemRestore.admx/adml`
Diagnostics. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `pca.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `FileRecovery.admx/adml`
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `DiskDiagnostic.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy
to the template
Microsoft `fthsvc.admx/adml`
Support that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Diagnostic Tool.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `MSDT.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` MSDT cannot run in support mode, and TITLE:Data Prote CCE-38161-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy:DisableQueryRemoteServer
ts to ensure the structure of Windows benchmarks is consistent.
```
he Group
ts to Policy
ensure the template
structure `Msi-FileRecovery.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or new
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `sdiagschd.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `sdiageng.admx/adml`
of Windows benchmarksthat
is is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
consistent.
he Group Policy template `PerformanceDiagnostics.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
elated
he Groupto Windows
Policy template
Performance
`LeakDiagnostic.admx/adml`
PerfTrack. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `PerformancePerftrack.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or
``` Responsiveness events are not proc TITLE:Data Prote CCE-36648-4
ts to ensure the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}:ScenarioExecutionEna
structure of Windows benchmarks is consistent.
```
elated
he Groupto User
Policy
Profiles.
template `TPM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `UserProfiles.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` The advertising ID is turned off. App TITLE:Data Prote CCE-36931-4
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\AdvertisingInfo:DisabledByGroupPolicy
ts to ensure the structure of Windows benchmarks is consistent.
```
he Group
ts to Policy
ensure the template
structure `WindowsFileProtection.admx/adml`
of Windows benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Windows Time`HotStart.admx/adml`
Service. that is only included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Ad
he Group
elated Policy
to Time template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Providers.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `W32Time.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI You
Pathcan set the local
articulated in thecomputer clockTITLE:Use
Remediation At LeasCCE-37843-0
section and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient:Enabled
```
``` None - this is the default behavior. TITLE:Limit Open CCE-37319-1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer:Enabled
r Windows Component settings.
```
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml`
of Windows benchmarks that
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `adfs.admx/adml` that is only
of Windows benchmarks included with the Microsoft Windows Vista through the Windows 8.0 & Server 2012 (non-R2) Admin
is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `ActiveXInstallService.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure `AppxPackageManager.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Temp
he Group
r App Policysettings.
runtime template `AppPrivacy.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `AppXRuntime.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
of Windows benchmarks is consistent.
he Group Policy
r AutoPlay template `AppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
policies.
he Group
ts to Policy
ensure the template
structure `AutoPlay.admx/adml`
of Windows benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `UserDataBackup.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 10 Release 1511 Adm
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Biometrics.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `VolumeEncryption.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Camera.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or n
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
of Windows benchmarks is consistent.
he Group
elated Policy
to the template
Credential `WirelessDisplay.admx/adml`
User Interface. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
he Group
ts to Policy
ensure the template
structure `CredUI.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `DeliveryOptimization.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Sidebar.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DWM.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `DeviceCompat.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `WorkplaceJoin.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
_Workplace Join_ but was renamed by Microsoft to _Device Registration_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Tem
ts to ensure the
r configuring structure
Microsoft of Windows
Enhanced benchmarks
Mitigation is consistent.
Experience Toolkit (EMET).
ts to
he ensure
Group the template
Policy structure `EMET.admx/adml`
`DigitalLocker.admx/adml`
of Windows benchmarks
that isisincluded
that
consistent.
is included with all versions
with Microsoft EMET. of the Microsoft Windows Administrative Templates.
ware
he Group
developed
Policyby
template
Microsoft
`EdgeUI.admx/adml`
that allows an enterprise
that is to
included
apply exploit
with themitigations
Microsoft to
Windows
applications
8.1 &that
Server
run 2012
on Windows.
R2 Administrative
Many of these
Templates
mitigations
(or newer).
were later
tsattoenhancing
ensure the
exploit
structure
protection
of Windows
on Windows
benchmarks
serverisOSes
consistent.
prior to Server 2016, it is highly recommended that compatibility testing is done on typical server
be
he very problematic
r configuring
Group Policy on 32-bit
thetemplate
Event Log OSes - we only recommendthat
`EventForwarding.admx/adml`
Service. using it with 64-bit
is included withOSes.
the Microsoft Windows Server 2008 (non-R2) Administrative Templates (or ne
trEMET
he Groupwill bethe
Policy
configuring End-Of-Life
template (EOL)
EventonLog.
July 31, 2018.
`EventLog.admx/adml`
Application This
that does notwith
is included meanall the software
versions willMicrosoft
of the stop working, only Administrative
Windows that Microsoft will not update it any further past
Templates.
he Group Policy
r configuring thetemplate
Security `EventLog.admx/adml`
Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring thetemplate `EventLog.admx/adml`
Setup Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r configuring thetemplate `EventLog.admx/adml`
System Event Log. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `EventLog.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `EventLogging.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or new
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `EventViewer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
hecontrol
Groupthe
Policy template
availability of `ParentalControls.admx/adml` that
options such as menu items and is only
tabs included
in dialog with the Microsoft Windows Vista through the Windows 10 RTM (Release 150
boxes.
_Parental
he Controls_
Group Policy but was
template renamed by Microsoft to _Family
`WindowsExplorer.admx/adml` that isSafety_ starting
included with allwith the Microsoft
versions WindowsWindows
of the Microsoft 8.0 & Server 2012 (non-R2)
Administrative Administrative Tem
Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group
ts to Policy
ensure the template
structure `PreviousVersions.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `FileHistory.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or ne
is consistent.
he Group
ts to Policy
ensure the template
structure `FindMy.admx/adml` that is
of Windows benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `GameExplorer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Handwriting.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `Sharing.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `CaptureWizard.admx/adml` that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administr
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `InetRes.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
s and Policy template `IIS.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Sensors.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Sensors.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
``` The location feature is turned off, a TITLE:Data Prote CCE-36886-0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableLocation
s Location Provider.
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `LocationProviderAdm.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templ
``` The Windows Location Provider feature is turned off, a CCE-38225-9
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors:DisableWindowsLocationProvider
ts to ensure the structure of Windows benchmarks is consistent.
```
he Group
ts to Policy
ensure the template
structure `msched.admx/adml`
of Windows benchmarks thatisisconsistent.
included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newe
he Group
ts to Policy
ensure the template
structure `WinMaps.admx/adml` that
of Windows benchmarks is is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `MDM.admx/adml` that is is
of Windows benchmarks included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or new
consistent.
he Group
ts to Policy
ensure the template
structure `Messaging.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `MSAPolicy.admx/adml`
of Windows benchmarksthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
is consistent.
he Group
ts to Policy
ensure the template
structure `MicrosoftEdge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or ne
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `FidoAuth.admx/adml`
of Windows benchmarksthat
is is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
consistent.
he Group Policy template `DeviceCredential.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templ
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `UserExperienceVirtualization.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administr
he
ts to
Group
ensure
Policy
the template
structure `Conf.admx/adml`
of Windows benchmarks
that is included
is consistent.
with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `NAPXPQec.admx/adml`
of Windows benchmarks is
that
consistent.
is only included with the Microsoft Windows Server 2008 (non-R2) through the Windows 8.1 Update
elated to OneDrive.
he Group Policy template `NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
n this section are provided by the Group Policy template `SkyDrive.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administr
ts to ensure the structure of Windows benchmarks is consistent.
_SkyDrive_ but was renamed by Microsoft to _OneDrive_ starting with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates.
he Group
ts to Policy
ensure the template
structure `HelpAndSupport.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `PswdSync.admx/adml`
of Windows benchmarksthat is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R
is consistent.
he Group
ts to Policy
ensure the template
structure `ExternalBoot.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or n
consistent.
he Group
ts to Policy
ensure the template
structure `MobilePCPresentationSettings.admx/adml`
of Windows benchmarks is consistent. that is included with all versions of the Microsoft Windows Administrative Templates.
elated to Remote Desktop Services.
he Group Policy template `PushToInstall.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
_Terminal
he Services_
Group Policy but was
template renamed by Microsoft to _Remote
`TerminalServer.admx/adml` Desktop
that is included Services_
with starting
all versions of thewith the Microsoft
Microsoft WindowsWindows 7 & Server
Administrative 2008 R2 Administrative
Templates.
r the Remote Desktop Connection Client.
_TS Licensing_ but was renamed by Microsoft to _RD Licensing_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
r the Remote Desktop Session Host.
he Group Policy template `TerminalServer.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (o
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Terminal Server_ but was renamed by Microsoft to _Remote Desktop Session Host_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrat
he Group Policytotemplate
r Connections `TerminalServer-Server.admx/adml`
the Remote Desktop Session Host. that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (o
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. CCE-37708-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
elated to Remote Desktop Session Host Device and Resource Redirection. NT\Terminal Services:fSingleSessionPerUser
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Users in a Remote
Path articulated Desktop
in the Servicessection
Remediation TITLE:Limit
se Open CCE-37696-2
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableCcm
```
```
Navigate to the UI Users in a Remote
Path articulated Desktop
in the Servicessection
Remediation TITLE:Limit
se Open CCE-37778-8
and confirm it is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:fDisableLPT
```
``` Users in a Remote Desktop ServicesTITLE:Limit
se Open CCE-37477-7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. NT\Terminal Services:fDisablePNPRedir
```
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_TS Connection Broker_ but was renamed by Microsoft to _RD Connection Broker_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
elated Policy template
to Remote Desktop `TerminalServer.admx/adml`
Session Host Security. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Remote Desktop `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Session Host Session Time Limits.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
```
Navigate to the UI Remote DesktopinServices
Path articulated will automat
the Remediation TITLE:Ensure
section Work
and confirm CitCE-37562-6
is set as prescribed. This group policy setting is backed by the fo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:MaxIdleTime
```
``` Disconnected Remote Desktop sessions TITLE:Ensure Work CCE-37949-5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
elated to Remote Desktop Session Host Session Temporary folders. NT\Terminal Services:MaxDisconnectionTime
```
he Group
elated Policy
to RSS template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
feeds.
he Group settings.
r Search Policy template `InetRes.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `Search.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he
ts to
Group
ensure
Policy
the template
structure `SecurityCenter.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `Snis.admx/adml`
of Windows benchmarks
that is only
is consistent.
included with the Microsoft Windows Vista through the Windows 8.1 Update & Server 2012 R2 Upd
he Group
ts to Policy
ensure the template
structure `WinInit.admx/adml` that is
of Windows benchmarks is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
elated Policy
to the template
Software `SmartCard.admx/adml`
Protection Platform. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `AVSValidationGP.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or
``` The computer is prevented from sending data to Microsoft regarding its KMS client activation state.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. NT\CurrentVersion\Software Protection Platform:NoGenTicket
```
he Group
ts to Policy
ensure the template
structure `SoundRec.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `Speech.admx/adml` that is
of Windows benchmarks is consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `WinStoreUI.admx/adml`
of Windows benchmarks that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the G
is consistent.
he Group
ts to Policy
ensure the template
structure `SettingSync.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or n
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `TaskScheduler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `TextInput.admx/adml`
of Windows benchmarks that
is is only included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates and M
consistent.
he Group
ts to Policy
ensure the template
structure `WinCal.admx/adml` that is consistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WindowsColorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
elated to Windows Defender Antivirus.
he Group Policy template `CEIPEnable.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsDefender.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
d _Windows Defender_ but was renamed by Microsoft to _Windows Defender Antivirus_ starting with the Microsoft Windows 10 Release 1703 Administrat
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
elated Policy template
to Microsoft `WindowsDefender.admx/adml`
Active Protection Service (MAPS). that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is in effect when th
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
``` None - this is the default behavior.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
ts to ensure the structure of Windows benchmarks is consistent. Defender\Spynet:SpynetReporting
```
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newe
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he GroupProtection.
eal-time Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he GroupDefender
Windows Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
Reporting.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
``` Watson events will not be sent to MicTITLE:Data Prote CCE-36950-4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Windows Defender scanning. Defender\Reporting:DisableGenericRePorts
```
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsDefender.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or n
of Windows benchmarks is consistent.
he Group Policy template `WindowsDefender.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newe
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `AppHVSI.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
he
ts to
Group
ensure
Policy
the template
structure `ExploitGuard.admx/adml`
of Windows benchmarks isthat
consistent.
is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
he
SmartScreen
Group Policy
settings.
template `WindowsDefenderSecurityCenter.admx/adml` that is included with the Microsoft Windows 10 Release 1709 Administrative Temp
he
r Explorer-related
Group Policy template
Windows
`SmartScreen.admx/adml`
Defender SmartScreen settings.
that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
n this section
elated are provided
to Windows by the Group Policy template `WindowsExplorer.admx/adml` that is included with the Microsoft Windows 10 Release 1703 Admi
Error Reporting.
he Group
ts to Policy
ensure the template
structure `ErrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy template
to Windows `ErrorReporting.admx/adml`
Error Reporting consent. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `ErrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `GameDVR.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer
he Group Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
ts to ensure the structure of Windows benchmarks is consistent.
_Microsoft Passport for Work_ but was renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Se
he Group
elated Policy template
to Windows `WindowsInkWorkspace.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative
Installer.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `MSI.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Email and CCE-37524-6
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer:SafeForScripting
elated to Windows Logon Options.
```
he Group
ts to Policy
ensure the template
structure `WinLogon.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMail.admx/adml`
of Windows benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Adminis
consistent.
he Group
ts to Policy
ensure the template
structure `MediaCenter.admx/adml`
of Windows benchmarks isthat is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMediaDRM.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsCollaboration.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrat
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMessenger.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `MobilePCMobilityCenter.admx/adml`
of Windows benchmarks is consistent.that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Windows `MovieMaker.admx/adml` that is only included with the Microsoft Windows Vista and Server 2008 (non-R2) Administrative Templa
PowerShell.
he Group
ts to Policy
ensure the template
structure `PowerShellExecutionPolicy.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative T
he Group
elated Policy template
to Windows Remote`RacWmiProv.admx/adml`
Management (WinRM). that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
elated Policy
to the template
Windows `WindowsRemoteManagement.admx/adml`
Remote Management (WinRM) client. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy
to the template
Windows `WindowsRemoteManagement.admx/adml`
Remote Management (WinRM) service. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the fo
he Group Policy template `WindowsRemoteManagement.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` None - this is the default behavior. TITLE:Use Only SeCCE-37927-1
Windows Remote HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service:AllowAutoConfig
Shell (WinRS).
```
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the fo
he Group Policy template `WindowsRemoteShell.admx/adml`
New Remote Shell connections that is not
are included
allowedwith all are
and versions of the
rejected Microsoft
by the server.Windows Administrative Templates.
``` TITLE:Use Only SeCCE-36499-2
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS:AllowRemoteShellAccess
ts to ensure the **Note:**
structure of Windows On Serveris2012
benchmarks (non-R2) and higher, due to design changes in the OS after Server 2008 R2, configuring this set
consistent.
```
he Group
ts to Policy
ensure the template
structure `SideShow.admx/adml`
of Windows benchmarksthat is only included with the Microsoft Windows Vista Administrative Templates through Microsoft Windo
is consistent.
he Group
elated Policy template
to Windows Update.`SystemResourceManager.admx/adml` that is only included with the Microsoft Windows Vista through Windows 8.0 & Server 201
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `WindowsUpdate.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsUpdate.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templa
_Defer Windows Updates_ but was renamed by Microsoft to _Windows Update for Business_ starting with the Microsoft Windows 10 Release 1709 Admin
endations from Group Policy Administrative Templates (ADMX).
r Control Panel settings.
he
ts to
Group
ensure
Policy
the template
structure `Windows.admx/adml`
of Windows benchmarks
that
is is
consistent.
included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `AddRemovePrograms.admx/adml`
of Windows benchmarks is consistent.
that is included with all versions of the Microsoft Windows Administrative Templates.
r personalization settings.
he Group Policy template `ControlPanelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `ControlPanelDisplay.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Desktop Themes_ but was renamed by Microsoft to _Personalization_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
r Start Policy
Menu andtemplate
Taskbar`SharedFolders.admx/adml`
settings. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy
r Notification template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
settings.
he Group Policy
r System template `WPN.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
settings.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `CtrlAltDel.admx/adml`
of Windows benchmarks that is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `DeviceInstallation.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `FolderRedirection.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy template
to Internet `GroupPolicy.admx/adml`
Communication Management. that is included with all versions of the Microsoft Windows Administrative Templates.
he Group
elated Policy template
to Internet `Windows.admx/adml`
Communication settings. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Users cannot participate in the Hel TITLE:Data Prote CCE-37542-8
HKEY_USERS\[USER
r Windows Component settings. SID]\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0:NoImplicitFeedback
``` structure of Windows benchmarks is consistent.
ts to ensure the
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `WindowsAnytimeUpgrade.admx/adml` that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Anytime Upgrade_ but was renamed by Microsoft to _Add features to Windows x_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R
he Group
ts to Policy
ensure the template
structure `AppXRuntime.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or
of Windows benchmarks is consistent.
he Group
elated Policy template
to Attachment `AppCompat.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
Manager.
he Group
ts to Policy
ensure the template
structure `AttachmentManager.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `AutoPlay.admx/adml`
of Windows benchmarksthat
is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `UserDataBackup.admx/adml` that is included only with the Microsoft Windows Vista through Windows 8.0 & Server 2012 (non-R
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `CloudContent.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `CredUI.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or ne
consistent.
he Group
ts to Policy
ensure the template
structure `DataCollection.admx/adml` that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Template
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `Sidebar.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `DWM.admx/adml` that isisincluded
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `DigitalLocker.admx/adml`
of Windows benchmarks isthat is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `EdgeUI.admx/adml` that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
he Group Policy template `Windows.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Windows Explorer_ but was renamed by Microsoft to _File Explorer_ starting with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Tem
he Group Policy template `FileRevocation.admx/adml` that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newe
ts to ensure the structure of Windows benchmarks is consistent.
he
ts to
Group
ensure
Policy
the template
structure `EAIME.admx/adml`
of Windows benchmarks
that is included
consistent.
with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer
he
ts to
Group
ensure
Policy
the template
structure `CaptureWizard.admx/adml`
of Windows benchmarks is consistent.
that is only included with the Microsoft Windows Vista and Windows Server 2008 (non-R2) Administr
he
ts to
Group
ensure
Policy
the template
structure `WordWheel.admx/adml`
of Windows benchmarks is
that
consistent.
is included with all versions of the Microsoft Windows Administrative Templates.
he
ts to
Group
ensure
Policy
the template
structure `InetRes.admx/adml`
of Windows benchmarks
thatisisconsistent.
included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Sensors.admx/adml` thatisisconsistent.
of Windows benchmarks included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
he Group
ts to Policy
ensure the template
structure `MicrosoftEdge.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or ne
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `MMC.admx/adml` that is is
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `UserExperienceVirtualization.admx/adml`
of Windows benchmarks is consistent. that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administr
he Group
ts to Policy
ensure the template
structure `Conf.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
elated Policy template
to Network Sharing.`NetworkProjection.admx/adml` that is only included with the Microsoft Windows Vista through the Windows 8.1 Update & Server
he Group
ts to Policy
ensure the template
structure `Sharing.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `MobilePCPresentationSettings.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `TerminalServer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
ts to ensure the structure of Windows benchmarks is consistent.
_Terminal Services_ but was renamed by Microsoft to _Remote Desktop Services_ starting with the Microsoft Windows 7 & Server 2008 R2 Administrative
he Group
ts to Policy
ensure the template
structure `InetRes.admx/adml` thatisisconsistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `Search.admx/adml` that is included
of Windows benchmarks with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
consistent.
he Group
ts to Policy
ensure the template
structure `SoundRec.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WinStoreUI.admx/adml`
of Windows benchmarks that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates and M
is consistent.
he Group
ts to Policy
ensure the template
structure `Windows.admx/adml` that
of Windows benchmarks is is included with all versions of the Microsoft Windows Administrative Templates.
consistent.
he Group
ts to Policy
ensure the template
structure `TaskScheduler.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `WinCal.admx/adml` that is consistent.
of Windows benchmarks included with all versions of the Microsoft Windows Administrative Templates.
he Group
ts to Policy
ensure the template
structure `WindowsColorSystem.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
ts to Policy
ensure the template
structure `SmartScreen.admx/adml`
of Windows benchmarks isthat is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
consistent.
ts to ensure the structure of Windows benchmarks is consistent.
he Group Policy template `ErrorReporting.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
he Group Policy template `Passport.admx/adml` that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
elated to Windows Installer.
_Microsoft Passport for Work_ but was renamed by Microsoft to _Windows Hello for Business_ starting with the Microsoft Windows 10 Release 1607 & Se
he Group
ts to Policy
ensure the template
structure `MSI.admx/adml` that is included
of Windows benchmarks with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WinLogon.admx/adml`
of Windows benchmarksthat is included with all versions of the Microsoft Windows Administrative Templates.
is consistent.
he Group
ts to Policy
ensure the template
structure `WindowsMail.admx/adml`
of Windows benchmarks is that is only included with the Microsoft Windows Vista through the Windows 10 Release 1703 Adminis
consistent.
he Group
elated Policy template
to Windows `MediaCenter.admx/adml` that is only included with the Microsoft Windows Vista through Windows 10 Release 1511 Administrati
Media Player.
he Group
ts to Policy
ensure the template
structure `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
of Windows benchmarks is consistent.
he Group
elated Policy template
to Windows `WindowsMediaPlayer.admx/adml`
Media Player playback. that is included with all versions of the Microsoft Windows Administrative Templates.
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the fo
he Group Policy template `WindowsMediaPlayer.admx/adml` that is included with all versions of the Microsoft Windows Administrative Templates.
``` Windows Media Player is prevented frTITLE:Inventory CCE-37445-4
HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer:PreventCodecDownload
```
ministrative Templates.
et.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/).
ministrative Templates.
ative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
dministrative Templates.
rative Templates.
strative Templates.
ministrative Templates.
ministrative Templates.
inistrative Templates.
Administrative Templates.
ministrative Templates.
istrative Templates.
Administrative Templates.
ministrative Templates.
ministrative Templates.
strative Templates.
ministrative Templates.
Administrative Templates.
strative Templates.
se 1507) Administrative Templates (or newer).
inistrative Templates.
rough the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
strative Templates.
strative Templates.
strative Templates.
strative Templates.
strative Templates.
rative Templates.
istrative Templates.
ws Administrative Templates.
istrative Templates.
s Administrative Templates.
ministrative Templates.
ative Templates.
Administrative Templates.
s Administrative Templates.
strative Templates.
rative Templates.
Administrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
dministrative Templates.
inistrative Templates.
hrough the Windows 10 Release 1511 Administrative Templates (except for the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates).
istrative Templates.
trative Templates.
dows.
2 Administrative
Many of these
Templates
mitigations
(or newer).
were later coded directly into Windows 10 and Server 2016.
ompatibility testing is done on typical server configurations (including all CIS-recommended EMET settings) before widespread deployment to your environ
Microsoft will
ministrative not update it any further past that date, nor troubleshoot new problems with it. They are instead recommending that servers be upgraded to S
Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
Administrative Templates.
hrough the Windows 10 RTM (Release 1507) Administrative Templates.
& Server
ows 2012 (non-R2)
Administrative Administrative Templates.
Templates.
s Administrative Templates.
nistrative Templates.
tive Templates.
rative Templates.
8 (non-R2) through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
ft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
h the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
nistrative Templates.
istrative Templates.
2008 R2 through the Windows 10 Release 1511 Administrative Templates.
s Administrative Templates.
istrative Templates.
ministrative Templates.
ministrative Templates.
12 R2 Administrative Templates, or by the Group Policy template `WindowsStore.admx/adml` that is included with the Microsoft Windows 10 Release 1511
ministrative Templates.
s Administrative Templates.
ease 1507) Administrative Templates and Microsoft Windows 10 Release 1511 Administrative Templates.
istrative Templates.
Administrative Templates.
dows Administrative Templates.
s Administrative Templates.
s Administrative Templates.
s Administrative Templates.
ative Templates.
ministrative Templates.
strative Templates through Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ws Vista through Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
ws Administrative Templates.
1607 & Server 2016 Administrative Templates (or newer).
ministrative Templates.
s Administrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
Administrative Templates.
ministrative Templates.
ministrative Templates.
ministrative Templates.
& Server 2008 R2 Administrative Templates (or newer).
dministrative Templates.
inistrative Templates.
hrough Windows 8.0 & Server 2012 (non-R2) Administrative Templates, as well as the Microsoft Windows 10 RTM (Release 1507) and Windows 10 Relea
trative Templates.
Administrative Templates.
dministrative Templates.
nistrative Templates.
trative Templates.
rative Templates.
through the Windows 8.1 Update & Server 2012 R2 Update Administrative Templates.
nistrative Templates.
ministrative Templates.
12 (non-R2) Administrative Templates and Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template `WindowsS
ministrative Templates.
s Administrative Templates.
istrative Templates.
s Administrative Templates.
1507) Administrative Templates (or newer).
ministrative Templates.
El estado
recomenda
do para
esta
configuraci
ón es:
Activado.
Entrada no
aparece en
el servidor
Entrada no
aparece en
el servidor