Windows 10 Report

Generated by the Windows10Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on Windows 10 Security Technical Implementation Guide V1R16 2019-01-25.

This report was generated at 05/14/2019 08:14:34 on DESKTOP-VSBMIM9.

HostnameDESKTOP-VSBMIM9
Build Number17763
Free disk space(GB) 115.2
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.564

Summary

A total of 640 tests have been run. 503 resulted in false. 0 resulted in warning.

  1. True 132 test(s) ≙ 20.63%
  2. False 503 test(s) ≙ 78.59%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 5 test(s) ≙ 0.78%

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

TThis section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
WN10-CC-000310 Users must be prevented from changing installation options. Registry key not found. False
WN10-CC-000315 The Windows Installer Always install with elevated privileges must be disabled. Registry key not found. False
WN10-CC-000320 Users must be notified if a web-based program attempts to install software. Registry key not found. False
WN10-CC-000325 Automatically signing in the last interactive user after a system-initiated restart must be disabled. Registry value not found. False
WN10-CC-000330 The Windows Remote Management (WinRM) client must not use Basic authentication. Registry key not found. False
WN10-CC-000335 The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000340 The Windows Remote Management (WinRM) client must not use Digest authentication. Registry key not found. False
WN10-CC-000345 The Windows Remote Management (WinRM) service must not use Basic authentication. Registry key not found. False
WN10-CC-000350 The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000355 The Windows Remote Management (WinRM) service must not store RunAs credentials. Registry key not found. False
WN10-AU-000500 The Application event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-AU-000505 The Security event log size must be configured to 1024000 KB or greater. Registry key not found. False
WN10-AU-000510 The System event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-CC-000005 Camera access from the lock screen must be disabled. Registry key not found. False
WN10-CC-000010 The display of slide shows on the lock screen must be disabled. Registry key not found. False
WN10-CC-000020 IPv6 source routing must be configured to highest protection. Registry value not found. False
WN10-CC-000025 The system must be configured to prevent IP source routing. Registry value not found. False
WN10-CC-000030 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Registry value not found. False
WN10-CC-000035 The system must be configured to ignore NetBIOS name release requests except from WINS servers. Registry value not found. False
WN10-CC-000040 Insecure logons to an SMB server must be disabled. Registry key not found. False
WN10-CC-000055 Simultaneous connections to the Internet or a Windows domain must be limited. Registry value not found. False
WN10-CC-000060 Connections to non-domain networks when connected to a domain authenticated network must be blocked. Registry value not found. False
WN10-CC-000065 Wi-Fi Sense must be disabled. Registry value not found. False
WN10-CC-000037 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Registry value not found. False
WN10-CC-000085 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Registry key not found. False
WN10-CC-000090 Group Policy objects must be reprocessed even if they have not changed. Registry key not found. False
WN10-CC-000100 Downloading print driver packages over HTTP must be prevented. Registry key not found. False
WN10-SO-000015 Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
WN10-CC-000105 Web publishing and online ordering wizards must be prevented from downloading a list of providers. Registry value not found. False
WN10-CC-000110 Printing over HTTP must be prevented. Registry key not found. False
WN10-CC-000115 Systems must at least attempt device authentication using certificates. Registry key not found. False
WN10-CC-000120 The network selection user interface (UI) must not be displayed on the logon screen. Registry value not found. False
WN10-CC-000130 Local users on domain-joined computers must not be enumerated. Registry value not found. False
WN10-SO-000030 Audit policy using subcategories must be enabled. Registry value not found. False
WN10-SO-000035 Outgoing secure channel traffic must be encrypted or signed. Compliant True
WN10-SO-000040 Outgoing secure channel traffic must be encrypted when possible. Compliant True
WN10-CC-000145 Users must be prompted for a password on resume from sleep (on battery). Registry key not found. False
WN10-SO-000045 Outgoing secure channel traffic must be signed when possible. Compliant True
WN10-CC-000150 The user must be prompted for a password on resume from sleep (plugged in). Registry key not found. False
WN10-CC-000155 Solicited Remote Assistance must not be allowed. Registry value not found. False
WN10-SO-000050 The computer account password must not be prevented from being reset. Compliant True
WN10-CC-000165 Unauthenticated RPC clients must be restricted from connecting to the RPC server. Registry key not found. False
WN10-CC-000170 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Registry value not found. False
WN10-CC-000175 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Registry key not found. False
WN10-SO-000060 The system must be configured to require a strong session key. Compliant True
WN10-CC-000180 Autoplay must be turned off for non-volume devices. Registry key not found. False
WN10-SO-000070 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Registry value not found. False
WN10-CC-000185 The default autorun behavior must be configured to prevent autorun commands. Registry value not found. False
WN10-CC-000190 Autoplay must be disabled for all drives. Registry value not found. False
WN10-CC-000195 Enhanced anti-spoofing for facial recognition must be enabled on Window 10. Registry key not found. False
WN10-CC-000200 Administrator accounts must not be enumerated during elevation. Registry key not found. False
WN10-CC-000215 Explorer Data Execution Prevention must be enabled. Registry key not found. False
WN10-CC-000220 Turning off File Explorer heap termination on corruption must be disabled. Registry key not found. False
WN10-CC-000225 File Explorer shell protocol must run in protected mode. Registry value not found. False
WN10-SO-000095 The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000230 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. Registry key not found. False
WN10-CC-000235 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Registry key not found. False
WN10-SO-000100 The Windows SMB client must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000240 InPrivate browsing in Microsoft Edge must be disabled. Registry key not found. False
WN10-SO-000105 The Windows SMB client must be enabled to perform SMB packet signing when possible. Compliant True
WN10-SO-000110 Unencrypted passwords must not be sent to third-party SMB Servers. Compliant True
WN10-CC-000250 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. Registry key not found. False
WN10-CC-000255 The use of a hardware security device with Windows Hello for Business must be enabled. Registry key not found. False
WN10-SO-000120 The Windows SMB server must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000260 Windows 10 must be configured to require a minimum pin length of six characters or greater. Registry key not found. False
WN10-SO-000125 The Windows SMB server must perform SMB packet signing when possible. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000270 Passwords must not be saved in the Remote Desktop Client. Registry value not found. False
WN10-CC-000275 Local drives must be prevented from sharing with Remote Desktop Session Hosts. Registry value not found. False
WN10-CC-000280 Remote Desktop Services must always prompt a client for passwords upon connection. Registry value not found. False
WN10-CC-000285 The Remote Desktop Session Host must require secure RPC communications. Registry value not found. False
WN10-CC-000290 Remote Desktop Services must be configured with the client connection encryption set to the required level. Registry value not found. False
WN10-CC-000295 Attachments must be prevented from being downloaded from RSS feeds. Registry key not found. False
WN10-SO-000145 Anonymous enumeration of SAM accounts must not be allowed. Compliant True
WN10-CC-000300 Basic authentication for RSS feeds over HTTP must not be used. Registry key not found. False
WN10-SO-000150 Anonymous enumeration of shares must be restricted. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000305 Indexing of encrypted files must be turned off. Registry key not found. False
WN10-SO-000160 The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Compliant True
WN10-SO-000165 Anonymous access to Named Pipes and Shares must be restricted. Compliant True
WN10-SO-000175 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Registry value not found. False
WN10-SO-000180 NTLM must be prevented from falling back to a Null session. Registry value not found. False
WN10-SO-000185 PKU2U authentication using online identities must be prevented. Registry key not found. False
WN10-SO-000190 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Registry key not found. False
WN10-SO-000195 The system must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
WN10-SO-000205 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. Registry value not found. False
WN10-SO-000210 The system must be configured to the required LDAP client signing level. Compliant True
WN10-SO-000215 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000220 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000230 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Registry value: 0. Differs from expected value: 1. False
WN10-SO-000240 The default permissions of global system objects must be increased. Compliant True
WN10-SO-000245 User Account Control approval mode for the built-in Administrator must be enabled. Registry value not found. False
WN10-SO-000250 User Account Control must, at minimum, prompt administrators for consent on the secure desktop. Registry value: 5. Differs from expected value: 2. False
WN10-SO-000255 User Account Control must automatically deny elevation requests for standard users. Registry value: 3. Differs from expected value: 0. False
WN10-SO-000260 User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
WN10-SO-000265 User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
WN10-SO-000270 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
WN10-SO-000275 User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
WN10-UC-000015 Toast notifications to the lock screen must be turned off. Registry key not found. False
WN10-UC-000020 Zone information must be preserved when saving attachments. Registry key not found. False
WN10-CC-000066 Command line data must be included in process creation events. Registry value not found. False
WN10-CC-000326 PowerShell script block logging must be enabled. Registry key not found. False
WN10-00-000150 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. Registry value not found. False
WN10-CC-000038 WDigest Authentication must be disabled. Registry value not found. False
WN10-CC-000044 Internet connection sharing must be disabled. Registry value not found. False
WN10-CC-000197 Microsoft consumer experiences must be turned off. Registry key not found. False
WN10-CC-000228 Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. Registry key not found. False
WN10-CC-000252 Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Registry key not found. False
WN10-CC-000068 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. Registry key not found. False
WN10-00-000165 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. Registry value not found. False
WN10-UC-000005 The use of personal accounts for OneDrive synchronization must be disabled. Registry key not found. False
WN10-CC-000238 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Registry key not found. False
WN10-CC-000204 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Registry value not found. False

User Rights Assignment^

Id Task Message Audit
WN10-UR-000005 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000010 The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. The following users have too many rights: Everyone, BUILTIN\Users, BUILTIN\Backup Operators False
WN10-UR-000015 The Act as part of the operating system user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000025 The Allow log on locally user right must only be assigned to the Administrators and Users groups. The following users have too many rights: DESKTOP-VSBMIM9\Guest, BUILTIN\Backup Operators False
WN10-UR-000030 The Back up files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000035 The Change the system time user right must only be assigned to Administrators and Local Service. Compliant True
WN10-UR-000040 The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000045 The Create a token object user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000050 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000055 The Create permanent shared objects user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000065 The Debug programs user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000070 MW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000070 SW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000075 MW The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000080 MW The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 MW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 SW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000090 MW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000090 SW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have don't have the rights: False
WN10-UR-000100 The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000105 The Generate security audits user right must only be assigned to Local Service and Network Service. Compliant True
WN10-UR-000110 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000115 The Increase scheduling priority user right must only be assigned to the Administrators group. The following users have too many rights: Window Manager\Window Manager Group False
WN10-UR-000120 The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000125 The Lock pages in memory user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000130 The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000140 The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000145 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000150 The Profile single process user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000160 The Restore files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000165 The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True

Account Policies^

Id Task Message Audit
WN10-AC-000005 Windows 10 account lockout duration must be configured to 15 minutes or greater. Currently not set. False
WN10-AC-000010 The number of allowed bad logon attempts must be configured to 3 or less. Currently set to: 0. Expected: not equal 0 False
WN10-AC-000015 The period of time before the bad logon counter is reset must be configured to 15 minutes. Currently not set. False
WN10-AC-000020 The password history must be configured to 24 passwords remembered. Currently set to: 0. Expected: greater than or equal 24 False
WN10-AC-000025 The maximum password age must be configured to 60 days or less. Compliant True
WN10-AC-000030 The minimum password age must be configured to at least 1 day. Currently set to: 0. Expected: greater than or equal 1 False
WN10-AC-000035 Passwords must, at a minimum, be 14 characters. Currently set to: 0. Expected: greater than or equal 14 False
WN10-AC-000040 The built-in Microsoft password complexity filter must be enabled. Currently set to: 0. Expected: equals 1 False
WN10-AC-000045 Reversible password encryption must be disabled. Compliant True
WN10-SO-000140 Anonymous SID/Name translation must not be allowed. Compliant True

Windows Features^

Id Task Message Audit
WN10-00-000100 Internet Information System (IIS) or its subcomponents must not be installed on a workstation. Compliant True
WN10-00-000110 Simple TCP/IP Services must not be installed on the system. Compliant True
WN10-00-000115 The Telnet Client must not be installed on the system. Compliant True
WN10-00-000120 The TFTP Client must not be installed on the system. Compliant True

File System Permissions^

Id Task Message Audit
WN10-AU-000515 Permissions for the Application event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000520 Permissions for the Security event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000525 Permissions for the System event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False

Registry Permissions^

Id Task Message Audit
WN10-RG-000005 A Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Compliant True
WN10-RG-000005 B Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False
WN10-RG-000005 C Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False

CIS Benchmarks^

This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet.

Registry Settings/Group Policies^

Id Task Message Audit
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' Registry value not found. False
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' Compliant True
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Registry value not found. False
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Registry value not found. False
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' Compliant True
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' Compliant True
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' Compliant True
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' Compliant True
2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' Registry value not found. False
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' Registry value not found. False
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' Registry value not found. False
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' Compliant True
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' Registry value is ''. Expected: pattern match .+ False
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' Registry value is '10'. Expected: pattern match ^[43210]$ False
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Compliant True
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher Registry value is '0'. Expected: pattern match ^(1|2|3)$ False
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' Compliant True
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' Compliant True
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' Compliant True
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' Compliant True
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher Registry value not found. False
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' Compliant True
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' Compliant True
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' Registry value is ''. Expected: equals False
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' Compliant True
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' Compliant True
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' Compliant True
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' Registry value not found. False
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' Compliant True
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' Registry value not found. False
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' Registry value not found. False
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' Registry key not found. False
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' Registry key not found. Registry key not found. False
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' Compliant True
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' Registry value not found. False
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher Compliant True
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: equals 537395200 False
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: equals 537395200 False
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher Registry value not found. False
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' Compliant True
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' Compliant True
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' Registry value not found. False
2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' Compliant True
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' Registry value is '5'. Expected: equals 2 False
2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' Registry value is '3'. Expected: equals 0 False
2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' Compliant True
2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' Compliant True
2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' Compliant True
2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' Compliant True
2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' Compliant True
5.1 (L2) Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled' Registry key not found. False
5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' Compliant True
5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.6 (L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled' Compliant True
5.7 (L1) Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled' Compliant True
5.8 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' Compliant True
5.9 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.10 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.11 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.12 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' Compliant True
5.13 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.14 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.15 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.16 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.17 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.18 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' Compliant True
5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' Compliant True
5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' Compliant True
5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' Compliant True
5.30 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.31 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.32 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' Compliant True
5.33 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.34 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.35 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' Registry value found. Registry value is '3'. Expected: equals 4 False
5.36 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.37 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.38 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.39 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.40 (L2) Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.43 (L1) Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled' Registry key not found. False
5.44 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.45 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.46 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' Registry key not found. False
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' Registry key not found. False
18.1.2.2 (L1) Ensure 'Allow input personalization' is set to 'Disabled' Registry key not found. False
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' Registry value not found. False
18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed Registry key not found. Registry key not found. False
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' Registry key not found. False
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' Registry key not found. False
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' Registry key not found. False
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' Registry key not found. False
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' Registry key not found. False
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' Registry value not found. False
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' Registry key not found. False
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Registry value not found. False
18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' Registry value not found. False
18.3.5 (L1) Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled' Registry key not found. False
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' Registry value not found. False
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' Compliant True
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' Registry value not found. False
18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' Registry value not found. False
18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' Registry value not found. False
18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' Registry value not found. False
18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' Registry value not found. False
18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' Registry value not found. False
18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Registry value not found. False
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Registry value not found. False
18.5.4.1 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') Registry value not found. False
18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' Registry key not found. False
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' Registry value not found. False
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' Registry key not found. False
18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry key not found. False
18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry key not found. False
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' Registry value not found. False
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' Registry value is ''. Expected: pattern match [Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1.*[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1 False
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') Registry value not found. False
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry key not found. False
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' Registry key not found. False
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' Registry value not found. False
18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' Registry value not found. False
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' Registry value not found. False
18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' Registry key not found. False
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' Registry key not found. False
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' Registry key not found. False
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' Registry key not found. False
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' Registry key not found. False
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' Registry key not found. False
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' Registry key not found. False
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' Registry key not found. False
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' Registry key not found. False
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' Registry key not found. False
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' Registry key not found. False
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' Registry value not found. False
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' Compliant. Registry value not found. True
18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' Registry key not found. False
18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' Registry key not found. False
18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' Registry key not found. False
18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' Registry value not found. False
18.8.22.1.7 (L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' Registry key not found. False
18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' Registry value not found. False
18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Registry value not found. False
18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Registry key not found. False
18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' Registry key not found. False
18.8.26.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' Registry key not found. False
18.8.27.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' Registry value not found. False
18.8.27.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' Registry value not found. False
18.8.27.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' Registry value not found. False
18.8.27.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' Registry value not found. False
18.8.27.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' Registry value not found. False
18.8.27.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' Registry value not found. False
18.8.27.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' Registry value not found. False
18.8.33.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' Registry key not found. False
18.8.33.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.33.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' Registry key not found. False
18.8.33.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.33.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' Registry key not found. False
18.8.33.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' Registry key not found. False
18.8.35.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.36.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' Registry key not found. False
18.8.36.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' Registry key not found. False
18.8.44.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' Registry key not found. False
18.8.44.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' Registry key not found. False
18.8.46.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' Registry key not found. False
18.8.49.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' Registry key not found. False
18.8.49.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' Registry key not found. False
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' Registry key not found. False
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' Registry value not found. False
18.9.6.2 (L2) Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled' Registry value not found. False
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Registry key not found. False
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' Registry value not found. False
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' Registry value not found. False
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' Registry key not found. False
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' Registry key not found. False
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' Registry key not found. False
18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.11 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.12 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.13 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.1.14 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' Registry key not found. False
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' Registry key not found. False
18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' Registry key not found. False
18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' Registry key not found. False
18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.11 (BL) Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters' Registry key not found. False
18.9.11.2.12 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled' Registry key not found. False
18.9.11.2.13 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.14 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.15 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.2.16 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' Registry key not found. False
18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.19 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM' Registry key not found. False
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM' Registry key not found. False
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM' Registry key not found. False
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM' Registry key not found. False
18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' Registry key not found. False
18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.11 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.12 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.13 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.3.14 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' Registry key not found. False
18.9.11.3.15 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.16 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' Registry key not found. False
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' Registry key not found. False
18.9.11.4 (BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled: XTS-AES 256-bit' Registry key not found. False
18.9.11.5 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' Registry key not found. False
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' Registry key not found. False
18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' Registry key not found. False
18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled' Registry key not found. False
18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' Registry key not found. False
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' Registry key not found. False
18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' Registry value not found. Registry value not found. False
18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' Registry value not found. False
18.9.16.3 (L1) Ensure 'Disable pre-release features or settings' is set to 'Disabled' Registry key not found. False
18.9.16.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' Registry value not found. False
18.9.16.5 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' Registry key not found. False
18.9.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Registry key not found. False
18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Registry key not found. False
18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' Registry key not found. False
18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' Registry key not found. False
18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' Registry value not found. False
18.9.35.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' Registry key not found. False
18.9.39.2 (L2) Ensure 'Turn off location' is set to 'Enabled' Registry key not found. False
18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' Registry key not found. False
18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' Registry key not found. False
18.9.45.1 (L2) Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled' Registry key not found. False
18.9.45.2 (L2) Ensure 'Allow Adobe Flash' is set to 'Disabled' Registry key not found. False
18.9.45.3 (L2) Ensure 'Allow InPrivate Browsing' is set to 'Disabled' Registry key not found. False
18.9.45.4 (L1) Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher Registry key not found. False
18.9.45.5 (L1) Ensure 'Configure Password Manager' is set to 'Disabled' Registry key not found. False
18.9.45.6 (L2) Ensure 'Configure Pop-up Blocker' is set to 'Enabled' Registry key not found. False
18.9.45.7 (L2) Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' Registry key not found. False
18.9.45.8 (L1) Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled' Registry key not found. False
18.9.45.9 (L2) Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled' Registry key not found. False
18.9.45.10 (L2) Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled' Registry key not found. False
18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' Registry key not found. False
18.9.57.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' Registry key not found. False
18.9.58.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' Registry value not found. False
18.9.58.3.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' Registry value not found. False
18.9.58.3.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' Registry value not found. False
18.9.58.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' Registry value not found. False
18.9.58.3.9.3 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' Registry value not found. False
18.9.58.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' Registry value not found. False
18.9.58.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' Registry value not found. False
18.9.58.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' Registry value not found. False
18.9.58.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' Registry value not found. False
18.9.59.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' Registry key not found. False
18.9.60.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' Compliant True
18.9.60.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled' Registry key not found. False
18.9.60.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' Registry key not found. False
18.9.60.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' Registry key not found. False
18.9.60.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' Registry key not found. False
18.9.65.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' Registry key not found. False
18.9.68.1 (L2) Ensure 'Disable all apps from Windows Store' is set to 'Disabled' Registry key not found. False
18.9.68.2 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' Registry key not found. False
18.9.68.3 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' Registry key not found. False
18.9.68.4 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' Registry key not found. False
18.9.76.3.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' Registry key not found. False
18.9.76.3.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' Compliant True
18.9.76.7.1 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' Registry key not found. False
18.9.76.9.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' Registry key not found. False
18.9.76.10.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' Registry key not found. False
18.9.76.10.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' Registry key not found. False
18.9.76.13.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' Registry key not found. False
18.9.76.13.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured' Registry key not found. False
18.9.76.13.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' Registry key not found. False
18.9.76.14 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' Registry value not found. False
18.9.77.1 (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' Registry key not found. False
18.9.77.2 (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' Registry key not found. False
18.9.77.3 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' Registry key not found. False
18.9.77.4 (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled' Registry key not found. False
18.9.79.1.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' Registry key not found. False
18.9.80.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Registry value not found. False
18.9.80.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' Registry key not found. False
18.9.80.2.2 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled' Registry key not found. False
18.9.80.2.3 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' Registry key not found. False
18.9.82.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' Registry key not found. False
18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' Registry key not found. False
18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' Registry key not found. Registry key not found. False
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' Registry key not found. False
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' Registry key not found. False
18.9.85.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' Registry key not found. False
18.9.86.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' Registry value not found. False
18.9.95.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' Registry key not found. False
18.9.95.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Registry key not found. False
18.9.97.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Registry key not found. False
18.9.97.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry key not found. False
18.9.97.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' Registry key not found. False
18.9.97.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Registry key not found. False
18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' Registry key not found. False
18.9.97.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry key not found. False
18.9.97.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' Registry key not found. False
18.9.98.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' Registry key not found. False
18.9.101.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' Registry key not found. False
18.9.101.1.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' Registry key not found. False
18.9.101.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' Registry key not found. False
18.9.101.2 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Registry key not found. False
18.9.101.3 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' Registry key not found. False
18.9.101.4 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' Registry key not found. False

User Rights Assignment^

Id Task Message Audit
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' Compliant True
2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' The following users have too many rights: Everyone, BUILTIN\Users, BUILTIN\Backup Operators False
2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' Compliant True
2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' The following users have too many rights: DESKTOP-VSBMIM9\Guest, BUILTIN\Backup Operators False
2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' Compliant True
2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' The following users have too many rights: BUILTIN\Backup Operators False
2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' Compliant True
2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' Compliant True
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' Compliant True
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' Compliant True
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' Compliant True
2.2.14 (L1) Configure 'Create symbolic links' Compliant True
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' Compliant True
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' The following users have too many rights: DESKTOP-VSBMIM9\Guest False
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' The following users have don't have the rights: False
2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' The following users have don't have the rights: False
2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' The following users have too many rights: DESKTOP-VSBMIM9\Guest False
2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' The following users have don't have the rights: False
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' Compliant True
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' Compliant True
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' The following users have too many rights: Window Manager\Window Manager Group False
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' Compliant True
2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' Compliant True
2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' The following users have too many rights: BUILTIN\Backup Operators, BUILTIN\Performance Log Users False
2.2.29 (L2) Ensure 'Log on as a service' is set to 'No One' The following users have too many rights: NT SERVICE\ALL SERVICES False
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' Compliant True
2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' Compliant True
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' Compliant True
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' Compliant True
2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' Compliant True
2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' The following users have too many rights: NT SERVICE\WdiServiceHost False
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' The following users have too many rights: BUILTIN\Backup Operators False
2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' The following users have too many rights: BUILTIN\Backup Operators False
2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' Compliant True

Account Policies^

Id Task Message Audit
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' Currently set to: 0. Expected: greater than or equal 24 False
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' Compliant True
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' Currently set to: 0. Expected: greater than or equal 1 False
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' Currently set to: 0. Expected: greater than or equal 14 False
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' Currently set to: 0. Expected: equals 1 False
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' Compliant True
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' Currently not set. False
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' Currently set to: 0. Expected: greater than 0 False
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' Currently not set. False

Windows Firewall with Advanced Security^

Id Task Message Audit
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Set to: No Auditing False
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.3 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' Set to: No Auditing False
17.2.4 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' Set to: Success False
17.2.5 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Set to: Success False
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.3.2 (L1) Ensure 'Audit Process Creation' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' Set to: Success False
17.5.2 (L1) Ensure 'Audit Group Membership' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.5.3 (L1) Ensure 'Audit Logoff' is set to 'Success' Compliant True
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Set to: No Auditing False
17.5.6 (L1) Ensure 'Audit Special Logon' is set to 'Success' Compliant True
17.6.1 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' Set to: No Auditing False
17.6.2 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Set to: No Auditing False
17.6.3 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' Set to: No Auditing False
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' Set to: Success False
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' Compliant True
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Set to: No Auditing False
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Set to: No Auditing False
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' Compliant True
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' Set to: No Auditing False
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True

Advanced Audit Policy Configuration^

Id Task Message Audit
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Set to: No Auditing False
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.3 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' Set to: No Auditing False
17.2.4 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' Set to: Success False
17.2.5 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Set to: Success False
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.3.2 (L1) Ensure 'Audit Process Creation' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' Set to: Success False
17.5.2 (L1) Ensure 'Audit Group Membership' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.5.3 (L1) Ensure 'Audit Logoff' is set to 'Success' Compliant True
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Set to: No Auditing False
17.5.6 (L1) Ensure 'Audit Special Logon' is set to 'Success' Compliant True
17.6.1 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' Set to: No Auditing False
17.6.2 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Set to: No Auditing False
17.6.3 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' Set to: No Auditing False
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' Set to: Success False
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' Compliant True
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' Set to: No Auditing Set to: No Auditing False
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Set to: No Auditing False
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Set to: No Auditing False
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' Compliant True
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' Set to: No Auditing False
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True