16.8

Settings Overview

Table Of Content

Click the link(s) below for quick access to a report section.

General Benchmarks
- Security Base Data
Microsoft Benchmarks
CIS Benchmarks

General Benchmarks-↑

This section contains general benchmarks

Security Base Data-↑

This section contains basic recommendations for a secure Microsoft Windows configuration.

Id	Task	Message	Status
SBD-001	Ensure the system is booting in 'UEFI' mode.	Compliant	True
SBD-002	Ensure the system is using SecureBoot.	Compliant	True
SBD-003	Ensure the TPM Chip is 'present'.	The TPM Chip is not 'present'.	False
SBD-004	Ensure the TPM Chip is 'ready'.	The TPM Chip is not 'ready'.	False
SBD-005	Ensure the TPM Chip is 'enabled'.	The TPM Chip is not 'enabled'.	False
SBD-006	Ensure the TPM Chip is 'activated'.	The TPM Chip is not 'activated'.	False
SBD-007	Ensure the TPM Chip is 'owned'.	The TPM Chip is not 'owned'.	False
SBD-008	Ensure the TPM Chip is implementing specification version 2.0 or higher.	No TPM Chip detected.	None
SBD-009	Get the count of local users on the system.	System has 3-5 local users.	Warning
SBD-010	Get the count of admin users on the system.	Compliant	True
SBD-011	Ensure the status of the Bitlocker service is 'Running'.	Bitlocker feature is not installed.	False
SBD-012	Ensure that Bitlocker is activated on all volumes.	Bitlocker feature is not installed.	False
SBD-013	Ensure the status of the Windows Defender service is 'Running'.	Compliant	True
SBD-014	Ensure the status of the Microsoft Defender for Endpoint service is 'Running'.	Service is not 'Running' (More info).	False
SBD-015	Ensure the Windows Firewall is enabled on all profiles.	Compliant	True
SBD-016	Check if the last successful search for updates was in the past 24 hours.	Last search for updates was more than 5 days ago.	False
SBD-017	Check if the last successful installation of updates was in the past 5 days.	Compliant	True
SBD-018	Ensure Virtualization Based Security is enabled and running.	VBS is not activated.	False
SBD-019	Ensure Hypervisor-protected Code Integrity (HVCI) is running.	HVCI is not running.	False
SBD-020	Ensure Credential Guard is running.	Credential Guard is not running.	False
SBD-021	Ensure the Attack Surface Reduction (ASR) rules are enabled.	ASR rules are not enabled.	False
SBD-022	Ensure Windows Defender Application Guard is enabled.	Windows Defender Application Guard is not enabled.	False

Microsoft Benchmarks-↑

This section contains all benchmarks from Microsoft

Registry Settings/Group Policies-↑

Id	Task	Message	Status
Registry-001	Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.	Registry value not found.	False
Registry-002	Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.	Registry value not found.	False
Registry-003	Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.	Registry key not found.	False
Registry-004	Set registry value 'CheckExeSignatures' to yes.	Registry key not found.	False
Registry-005	Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.	Registry key not found.	False
Registry-006	Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.	Registry key not found.	False
Registry-007	Set registry value 'Isolation' to PMEM.	Registry key not found.	False
Registry-008	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-009	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-010	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-011	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-012	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-013	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-014	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-015	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-016	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-017	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-018	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-019	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-020	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-021	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-022	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-023	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-024	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-025	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-026	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-027	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-028	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-029	Set registry value '(Reserved)' to 1.	Registry key not found.	False
Registry-030	Set registry value 'explorer.exe' to 1.	Registry key not found.	False
Registry-031	Set registry value 'iexplore.exe' to 1.	Registry key not found.	False
Registry-032	Set registry value 'PreventOverrideAppRepUnknown' to 1.	Registry key not found.	False
Registry-033	Set registry value 'PreventOverride' to 1.	Registry key not found.	False
Registry-034	Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.	Registry key not found.	False
Registry-035	Set registry value 'NoCrashDetection' to 1.	Registry key not found.	False
Registry-036	Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.	Registry key not found.	False
Registry-037	Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.	Registry key not found.	False
Registry-038	Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.	Registry key not found.	False
Registry-039	Set registry value 'Security_zones_map_edit' to 1.	Registry value not found.	False
Registry-040	Set registry value 'Security_options_edit' to 1.	Registry value not found.	False
Registry-041	Set registry value 'Security_HKLM_only' to 1.	Registry value not found.	False
Registry-042	Ensure 'Check for server certificate revocation' is set to 'Enabled'.	Registry value not found.	False
Registry-043	Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.	Registry value not found.	False
Registry-044	Set registry value 'WarnOnBadCertRecving' to 1.	Registry value not found.	False
Registry-045	Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.	Registry value not found.	False
Registry-046	Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.	Registry value not found.	False
Registry-047	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-048	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-049	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-050	Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.	Registry key not found.	False
Registry-051	Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.	Registry key not found.	False
Registry-052	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-053	Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.	Registry key not found.	False
Registry-054	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-055	Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-056	Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-057	Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.	Registry key not found.	False
Registry-058	Ensure 'Java permissions' is set to 'High safety'.	Registry key not found.	False
Registry-059	Ensure 'Java permissions' is set to 'High safety'.	Registry key not found.	False
Registry-060	Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-061	Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.	Registry key not found.	False
Registry-062	Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.	Registry key not found.	False
Registry-063	Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.	Registry key not found.	False
Registry-064	Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.	Registry key not found.	False
Registry-065	Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.	Registry key not found.	False
Registry-066	Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.	Registry key not found.	False
Registry-067	Ensure 'Access data sources across domains' is set to 'Disable'.	Registry key not found.	False
Registry-068	Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.	Registry key not found.	False
Registry-069	Ensure 'Automatic prompting for file downloads' is set to 'Disable'.	Registry key not found.	False
Registry-070	Ensure 'Allow scriptlets' is set to 'Disable'.	Registry key not found.	False
Registry-071	Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.	Registry key not found.	False
Registry-072	Ensure 'Use Pop-up Blocker' is set to 'Enable'.	Registry key not found.	False
Registry-073	Ensure 'Turn on Protected Mode' is set to 'Enable'.	Registry key not found.	False
Registry-074	Ensure 'Allow updates to status bar via script' is set to 'Disable'.	Registry key not found.	False
Registry-075	Ensure 'Userdata persistence' is set to 'Disable'.	Registry key not found.	False
Registry-076	Ensure 'Allow loading of XAML files' is set to 'Disable'.	Registry key not found.	False
Registry-077	Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.	Registry key not found.	False
Registry-078	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-079	Ensure 'Download signed ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-080	Ensure 'Logon options' is set to 'Prompt for user name and password'.	Registry key not found.	False
Registry-081	Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.	Registry key not found.	False
Registry-082	Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-083	Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.	Registry key not found.	False
Registry-084	Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.	Registry key not found.	False
Registry-085	Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.	Registry key not found.	False
Registry-086	Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-087	Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.	Registry key not found.	False
Registry-088	Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.	Registry key not found.	False
Registry-089	Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.	Registry key not found.	False
Registry-090	Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.	Registry key not found.	False
Registry-091	Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.	Registry key not found.	False
Registry-092	Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.	Registry key not found.	False
Registry-093	Set registry value '140C' to 3.	Registry key not found.	False
Registry-094	Ensure 'Allow META REFRESH' is set to 'Disable'.	Registry key not found.	False
Registry-095	Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.	Registry key not found.	False
Registry-096	Ensure 'Download signed ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-097	Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.	Registry key not found.	False
Registry-098	Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.	Registry key not found.	False
Registry-099	Ensure 'Use Pop-up Blocker' is set to 'Enable'.	Registry key not found.	False
Registry-100	Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-101	Ensure 'Userdata persistence' is set to 'Disable'.	Registry key not found.	False
Registry-102	Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.	Registry key not found.	False
Registry-103	Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.	Registry key not found.	False
Registry-104	Ensure 'Access data sources across domains' is set to 'Disable'.	Registry key not found.	False
Registry-105	Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.	Registry key not found.	False
Registry-106	Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.	Registry key not found.	False
Registry-107	Ensure 'Automatic prompting for file downloads' is set to 'Disable'.	Registry key not found.	False
Registry-108	Ensure 'Allow binary and script behaviors' is set to 'Disable'.	Registry key not found.	False
Registry-109	Ensure 'Scripting of Java applets' is set to 'Disable'.	Registry key not found.	False
Registry-110	Ensure 'Allow file downloads' is set to 'Disable'.	Registry key not found.	False
Registry-111	Ensure 'Allow loading of XAML files' is set to 'Disable'.	Registry key not found.	False
Registry-112	Ensure 'Allow active scripting' is set to 'Disable'.	Registry key not found.	False
Registry-113	Ensure 'Logon options' is set to 'Anonymous logon'.	Registry key not found.	False
Registry-114	Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.	Registry key not found.	False
Registry-115	Ensure 'Turn on Protected Mode' is set to 'Enable'.	Registry key not found.	False
Registry-116	Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.	Registry key not found.	False
Registry-117	Ensure 'Java permissions' is set to 'Disable Java'.	Registry key not found.	False
Registry-118	Ensure 'Allow scriptlets' is set to 'Disable'.	Registry key not found.	False
Registry-119	Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.	Registry key not found.	False
Registry-120	Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.	Registry key not found.	False
Registry-121	Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.	Registry key not found.	False
Registry-122	Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.	Registry key not found.	False
Registry-123	Ensure 'Allow updates to status bar via script' is set to 'Disable'.	Registry key not found.	False
Registry-124	Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.	Registry key not found.	False
Registry-125	Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.	Registry key not found.	False
Registry-126	Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.	Registry key not found.	False
Registry-127	Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.	Registry key not found.	False
Registry-128	Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.	Registry key not found.	False
Registry-129	Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.	Registry key not found.	False
Registry-130	Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.	Registry key not found.	False
Registry-131	Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.	Registry key not found.	False
Registry-132	Set registry value '140C' to 3.	Registry key not found.	False
Registry-133	Ensure 'Turn off Autoplay' is set to 'All drives'.	Registry value not found.	False
Registry-134	Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.	Registry value not found.	False
Registry-135	Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.	Compliant	True
Registry-136	Set registry value 'LocalAccountTokenFilterPolicy' to 0.	Registry value not found.	False
Registry-137	Set registry value 'AllowEncryptionOracle' to 0.	Registry key not found.	False
Registry-138	Set registry value 'EnhancedAntiSpoofing' to 1.	Registry key not found.	False
Registry-139	Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.	Registry key not found.	False
Registry-140	Set registry value 'AllowProtectedCreds' to 1.	Registry key not found.	False
Registry-141	Ensure 'Specify the maximum log file size (KB)' is set to '32768'.	Registry key not found.	False
Registry-142	Ensure 'Specify the maximum log file size (KB)' is set to '196608'.	Registry key not found.	False
Registry-143	Ensure 'Specify the maximum log file size (KB)' is set to '32768'.	Registry key not found.	False
Registry-144	Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.	Registry key not found.	False
Registry-145	Ensure 'Configure registry policy processing' is set to '0'.	Registry key not found.	False
Registry-146	Ensure 'Configure registry policy processing' is set to '0'.	Registry key not found.	False
Registry-148	Ensure 'Allow user control over installs' is set to 'Disabled'.	Registry key not found.	False
Registry-149	Set registry value 'DeviceEnumerationPolicy' to 0.	Registry key not found.	False
Registry-150	Ensure 'Enable insecure guest logons' is set to 'Disabled'.	Registry key not found.	False
Registry-151	Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1,RequireIntegrity=1.	Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1	False
Registry-152	Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1,RequireIntegrity=1.	Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1	False
Registry-153	Set registry value 'NoLockScreenCamera' to 1.	Registry key not found.	False
Registry-154	Set registry value 'NoLockScreenSlideshow' to 1.	Registry key not found.	False
Registry-155	Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.	Registry key not found.	False
Registry-156	Ensure 'Turn on PowerShell Script Block Logging' is not set.	Compliant. Registry key not found.	True
Registry-157	Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.	Registry value not found.	False
Registry-158	Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.	Registry value not found.	False
Registry-159	Set registry value 'ShellSmartScreenLevel' to Block.	Registry value not found.	False
Registry-160	Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.	Registry key not found.	False
Registry-161	Ensure 'Allow Basic authentication' is set to 'Disabled'.	Registry key not found.	False
Registry-162	Ensure 'Allow unencrypted traffic' is set to 'Disabled'.	Registry key not found.	False
Registry-163	Ensure 'Disallow Digest authentication' is set to 'Enabled'.	Registry key not found.	False
Registry-164	Ensure 'Allow Basic authentication' is set to 'Disabled'.	Registry key not found.	False
Registry-165	Ensure 'Allow unencrypted traffic' is set to 'Disabled'.	Registry key not found.	False
Registry-166	Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.	Registry key not found.	False
Registry-167	Ensure 'Turn off multicast name resolution' is set to 'Enabled'.	Registry key not found.	False
Registry-168	Set registry value 'RestrictDriverInstallationToAdministrators' to 1.	Registry key not found.	False
Registry-169	Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.	Registry key not found.	False
Registry-170	Set registry value 'DisablePasswordSaving' to 1.	Registry value not found.	False
Registry-171	Set registry value 'fDisableCdm' to 1.	Registry value not found.	False
Registry-172	Set registry value 'fPromptForPassword' to 1.	Registry value not found.	False
Registry-173	Set registry value 'fEncryptRPCTraffic' to 1.	Registry value not found.	False
Registry-174	Set registry value 'MinEncryptionLevel' to 3.	Registry value not found.	False
Registry-175	Set registry value 'PolicyVersion' to 538.	Registry key not found.	False
Registry-176	Domain: Set registry value 'DefaultOutboundAction' to 0.	Registry key not found.	False
Registry-177	Domain: Set registry value 'DefaultInboundAction' to 1.	Registry key not found.	False
Registry-178	Domain: Set registry value 'EnableFirewall' to 1.	Registry key not found.	False
Registry-179	Private: Set registry value 'EnableFirewall' to 1.	Registry key not found.	False
Registry-180	Private: Set registry value 'DefaultInboundAction' to 1.	Registry key not found.	False
Registry-181	Private: Set registry value 'DefaultOutboundAction' to 0.	Registry key not found.	False
Registry-182	Public: Set registry value 'EnableFirewall' to 1.	Registry key not found.	False
Registry-183	Public: Set registry value 'DefaultOutboundAction' to 0.	Registry key not found.	False
Registry-184	Public: Set registry value 'DefaultInboundAction' to 1.	Registry key not found.	False
Registry-185	Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.	Registry key not found.	False
Registry-186	Set registry value 'AdmPwdEnabled' to 1.	Registry key not found.	False
Registry-187	Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.	Registry value not found.	False
Registry-188	Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.	Compliant	True
Registry-189	Set registry value 'DriverLoadPolicy' to 3.	Registry key not found.	False
Registry-190	Ensure 'Configure SMB v1 server' is set to 'Disabled'.	Registry value not found.	False
Registry-191	Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.	Registry key not found.	False
Registry-192	Set registry value 'NoNameReleaseOnDemand' to 1.	Registry value not found.	False
Registry-193	Set registry value 'NodeType' to 2.	Registry value not found.	False
Registry-194	Set registry value 'EnableICMPRedirect' to 0.	Registry value not found.	False
Registry-195	Set registry value 'DisableIPSourceRouting' to 2.	Registry value not found.	False
Registry-196	Set registry value 'DisableIPSourceRouting' to 2.	Registry value not found.	False
Registry-197	Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA).	Registry value not found.	False
Registry-198	Set registry value 'EnablePlainTextPassword' to 0.	Compliant	True
Registry-199	Set registry value 'NoLMHash' to 1.	Compliant	True
Registry-200	Set registry value 'LimitBlankPasswordUse' to 1.	Compliant	True
Registry-201	Set registry value 'ProtectionMode' to 1.	Compliant	True
Registry-202	Set registry value 'RestrictAnonymous' to 1.	Registry value is '0'. Expected: 1	False
Registry-203	Set registry value 'RestrictNullSessAccess' to 1.	Compliant	True
Registry-204	Set registry value 'RestrictAnonymousSAM' to 1.	Compliant	True
Registry-205	Set registry value 'requirestrongkey' to 1.	Compliant	True
Registry-206	Set registry value 'requiresecuritysignature' to 1.	Registry value is '0'. Expected: 1	False
Registry-207	Set registry value 'RequireSecuritySignature' to 1.	Registry value is '0'. Expected: 1	False
Registry-208	Set registry value 'signsecurechannel' to 1.	Compliant	True
Registry-209	Set registry value 'requiresignorseal' to 1.	Compliant	True
Registry-210	Set registry value 'NTLMMinServerSec' to 537395200.	Registry value is '536870912'. Expected: 537395200	False
Registry-211	Set registry value 'sealsecurechannel' to 1.	Compliant	True
Registry-212	Set registry value 'NTLMMinClientSec' to 537395200.	Registry value is '536870912'. Expected: 537395200	False
Registry-213	Set registry value 'LmCompatibilityLevel' to 5.	Registry value not found.	False
Registry-214	Set registry value 'LDAPClientIntegrity' to 1.	Compliant	True
Registry-215	Set registry value 'EnableSecureUIAPaths' to 1.	Compliant	True
Registry-216	Set registry value 'ConsentPromptBehaviorUser' to 0.	Registry value is '3'. Expected: 0	False
Registry-217	Set registry value 'ConsentPromptBehaviorAdmin' to 2.	Registry value is '5'. Expected: 2	False
Registry-218	Set registry value 'EnableInstallerDetection' to 1.	Compliant	True
Registry-219	Set registry value 'EnableLUA' to 1.	Compliant	True
Registry-220	Set registry value 'FilterAdministratorToken' to 1.	Registry value not found.	False
Registry-221	Set registry value 'EnableVirtualization' to 1.	Compliant	True
Registry-222	Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.	Registry value not found.	False
Registry-223	Set registry value 'ScRemoveOption' to 1.	Registry value is '0'. Expected: 1	False
Registry-224	Set registry value 'InactivityTimeoutSecs' to 900.	Registry value not found.	False
Registry-225	Set registry value 'allownullsessionfallback' to 0.	Registry value not found.	False
Registry-273	Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.	Registry key not found.	False
Registry-274	Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.	Registry key not found.	False
Registry-275	Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.	Registry key not found.	False
Registry-276	Set registry value 'HVCIMATRequired' to 1.	Registry key not found.	False
Registry-277	Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.	Registry key not found.	False
Registry-278	Set registry value 'ConfigureSystemGuardLaunch' to 1.	Registry key not found.	False
Registry-279	Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.	Registry key not found.	False
Registry-280	Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.	Registry key not found.	False
Registry-281	Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.	Registry key not found.	False
Registry-282	Set registry value 'HVCIMATRequired' to 1.	Registry key not found.	False
Registry-283	Ensure 'Turn On Virtualization Based Security' is set to 'Disabled'.	Registry key not found.	False
Registry-284	Set registry value 'ConfigureSystemGuardLaunch' to 1.	Registry key not found.	False
Registry-285	Set registry value 'PUAProtection' to 1.	Registry key not found.	False
Registry-286	Set registry value 'MpCloudBlockLevel' to 2.	Registry key not found.	False
Registry-287	Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.	Registry key not found.	False
Registry-288	Ensure 'Turn off real-time protection' is set to 'Disabled'.	Registry key not found.	False
Registry-289	Set registry value 'DisableScriptScanning' to 0.	Registry key not found.	False
Registry-290	Ensure 'Scan removable drives' is set to 'Enabled'.	Registry key not found.	False
Registry-291	Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.	Registry key not found.	False
Registry-292	Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.	Registry key not found.	False
Registry-293	Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.	Registry key not found.	False
Registry-294	Set registry value 'ExploitGuard_ASR_Rules' to 1.	Registry key not found.	False
Registry-295	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)	Registry key not found.	False
Registry-296	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)	Registry key not found.	False
Registry-297	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)	Registry key not found.	False
Registry-298	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)	Registry key not found.	False
Registry-299	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)	Registry key not found.	False
Registry-300	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)	Registry key not found.	False
Registry-301	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)	Registry key not found.	False
Registry-302	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))	Registry key not found.	False
Registry-303	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)	Registry key not found.	False
Registry-304	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)	Registry key not found.	False
Registry-305	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)	Registry key not found.	False
Registry-306	Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)	Registry key not found.	False
Registry-307	Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)	Registry key not found.	False
Registry-308	Set registry value 'EnableNetworkProtection' to 1.	Registry key not found.	False
Registry-316	Set registry value 'FormSuggest Passwords' to 1.	Registry key not found.	False
Registry-317	Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.	Registry key not found.	False
Registry-318	Set registry value 'FormSuggest Passwords' to no.	Registry key not found.	False
Registry-319	Ensure 'Turn off Autoplay' is set to 'All drives'.	Registry value not found.	False
Registry-320	Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.	Registry value not found.	False
Registry-321	Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.	Compliant	True
Registry-322	Set registry value 'AllowEncryptionOracle' to 0.	Registry key not found.	False
Registry-323	Set registry value 'EnhancedAntiSpoofing' to 1.	Registry key not found.	False
Registry-324	Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.	Registry key not found.	False
Registry-325	Set registry value 'AllowProtectedCreds' to 1.	Registry key not found.	False
Registry-326	Ensure 'Specify the maximum log file size (KB)' is set to '32768'.	Registry key not found.	False
Registry-327	Ensure 'Specify the maximum log file size (KB)' is set to '196608'.	Registry key not found.	False
Registry-328	Ensure 'Specify the maximum log file size (KB)' is set to '32768'.	Registry key not found.	False
Registry-329	Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.	Registry key not found.	False
Registry-330	Ensure 'Configure registry policy processing' is set to '0'.	Registry key not found.	False
Registry-331	Ensure 'Configure registry policy processing' is set to '0'.	Registry key not found.	False
Registry-332	Set registry value 'AlwaysInstallElevated' to 0.	Registry key not found.	False
Registry-333	Ensure 'Allow user control over installs' is set to 'Disabled'.	Registry key not found.	False
Registry-334	Set registry value 'DeviceEnumerationPolicy' to 0.	Registry key not found.	False
Registry-335	Ensure 'Enable insecure guest logons' is set to 'Disabled'.	Registry key not found.	False
Registry-336	Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1,RequireIntegrity=1.	Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1	False
Registry-337	Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1,RequireIntegrity=1.	Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1	False
Registry-338	Set registry value 'NoLockScreenCamera' to 1.	Registry key not found.	False
Registry-339	Set registry value 'NoLockScreenSlideshow' to 1.	Registry key not found.	False
Registry-340	Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.	Registry key not found.	False
Registry-341	Ensure 'Turn on PowerShell Script Block Logging' is not set.	Compliant. Registry key not found.	True
Registry-343	Set registry value 'EnforcementMode' to 1.	Registry key not found.	False
Registry-358	Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.	Registry value not found.	False
Registry-359	Set registry value 'ShellSmartScreenLevel' to Block.	Registry value not found.	False
Registry-360	Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.	Registry key not found.	False
Registry-361	Ensure 'Allow Basic authentication' is set to 'Disabled'.	Registry key not found.	False
Registry-362	Ensure 'Allow unencrypted traffic' is set to 'Disabled'.	Registry key not found.	False
Registry-363	Ensure 'Disallow Digest authentication' is set to 'Enabled'.	Registry key not found.	False
Registry-364	Ensure 'Allow Basic authentication' is set to 'Disabled'.	Registry key not found.	False
Registry-365	Ensure 'Allow unencrypted traffic' is set to 'Disabled'.	Registry key not found.	False
Registry-366	Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.	Registry key not found.	False
Registry-367	Ensure 'Turn off multicast name resolution' is set to 'Enabled'.	Registry key not found.	False
Registry-368	Set registry value 'RestrictDriverInstallationToAdministrators' to 1.	Registry key not found.	False
Registry-369	Set registry value 'DisablePasswordSaving' to 1.	Registry value not found.	False
Registry-370	Set registry value 'fDisableCdm' to 1.	Registry value not found.	False
Registry-371	Set registry value 'fPromptForPassword' to 1.	Registry value not found.	False
Registry-372	Set registry value 'fEncryptRPCTraffic' to 1.	Registry value not found.	False
Registry-373	Set registry value 'MinEncryptionLevel' to 3.	Registry value not found.	False
Registry-374	Set registry value 'PolicyVersion' to 538.	Registry key not found.	False
Registry-375	Domain: Set registry value 'DefaultOutboundAction' to 0.	Registry key not found.	False
Registry-376	Domain: Set registry value 'DefaultInboundAction' to 1.	Registry key not found.	False
Registry-377	Domain: Set registry value 'EnableFirewall' to 1.	Registry key not found.	False
Registry-378	Private: Set registry value 'EnableFirewall' to 1.	Registry key not found.	False
Registry-379	Private: Set registry value 'DefaultInboundAction' to 1.	Registry key not found.	False
Registry-380	Private: Set registry value 'DefaultOutboundAction' to 0.	Registry key not found.	False
Registry-381	Public: Set registry value 'EnableFirewall' to 1.	Registry key not found.	False
Registry-382	Public: Set registry value 'DefaultOutboundAction' to 0.	Registry key not found.	False
Registry-383	Public: Set registry value 'DefaultInboundAction' to 1.	Registry key not found.	False
Registry-384	Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.	Registry key not found.	False
Registry-385	Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.	Registry value not found.	False
Registry-386	Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.	Compliant	True
Registry-387	Set registry value 'DriverLoadPolicy' to 3.	Registry key not found.	False
Registry-388	Ensure 'Configure SMB v1 server' is set to 'Disabled'.	Registry value not found.	False
Registry-389	Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.	Registry key not found.	False
Registry-390	Set registry value 'NoNameReleaseOnDemand' to 1.	Registry value not found.	False
Registry-391	Set registry value 'NodeType' to 2.	Registry value not found.	False
Registry-392	Set registry value 'EnableICMPRedirect' to 0.	Registry value not found.	False
Registry-393	Set registry value 'DisableIPSourceRouting' to 2.	Registry value not found.	False
Registry-394	Set registry value 'DisableIPSourceRouting' to 2.	Registry value not found.	False
Registry-395	Set registry value 'allownullsessionfallback' to 0.	Registry value not found.	False
Registry-396	Set registry value 'InactivityTimeoutSecs' to 900.	Registry value not found.	False
Registry-397	Set registry value 'ScRemoveOption' to 1.	Registry value is '0'. Expected: 1	False
Registry-398	Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.	Registry value not found.	False
Registry-399	Set registry value 'EnableVirtualization' to 1.	Compliant	True
Registry-400	Set registry value 'FilterAdministratorToken' to 1.	Registry value not found.	False
Registry-401	Set registry value 'EnableLUA' to 1.	Compliant	True
Registry-402	Set registry value 'EnableInstallerDetection' to 1.	Compliant	True
Registry-403	Set registry value 'ConsentPromptBehaviorAdmin' to 2.	Registry value is '5'. Expected: 2	False
Registry-404	Set registry value 'ConsentPromptBehaviorUser' to 0.	Registry value is '3'. Expected: 0	False
Registry-405	Set registry value 'EnableSecureUIAPaths' to 1.	Compliant	True
Registry-406	Set registry value 'LDAPClientIntegrity' to 1.	Compliant	True
Registry-407	Set registry value 'LmCompatibilityLevel' to 5.	Registry value not found.	False
Registry-408	Set registry value 'NTLMMinClientSec' to 537395200.	Registry value is '536870912'. Expected: 537395200	False
Registry-409	Set registry value 'sealsecurechannel' to 1.	Compliant	True
Registry-410	Set registry value 'NTLMMinServerSec' to 537395200.	Registry value is '536870912'. Expected: 537395200	False
Registry-411	Set registry value 'requiresignorseal' to 1.	Compliant	True
Registry-423	Set registry value 'LDAPServerIntegrity' to 2.	Registry key not found.	False
Registry-424	Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled, always (recommended)'.	Registry key not found.	False

User Rights Assignment-↑

Id	Task	Message	Status
UserRight-227	Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-228	Ensure 'SeCreateTokenPrivilege' is set to ''	Compliant	True
UserRight-229	Ensure 'SeTrustedCredManAccessPrivilege' is set to ''	Compliant	True
UserRight-230	Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-231	Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-232	Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-233	Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'	The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators	False
UserRight-234	Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'	Compliant	True
UserRight-235	Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-236	Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544'	The user right 'SeInteractiveLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators	False
UserRight-237	Ensure 'SeEnableDelegationPrivilege' is set to ''	Compliant	True
UserRight-238	Ensure 'SeCreatePermanentPrivilege' is set to ''	Compliant	True
UserRight-239	Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-240	Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-241	Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'	The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators	False
UserRight-242	Ensure 'SeNetworkLogonRight' is set to 'S-1-5-11, S-1-5-32-544'	The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Authenticated Users	False
UserRight-243	Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-114'	The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local account and member of Administrators group	False
UserRight-244	Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'	The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRS	False
UserRight-245	Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-246	Ensure 'SeLockMemoryPrivilege' is set to ''	Compliant	True
UserRight-247	Ensure 'SeTcbPrivilege' is set to ''	Compliant	True
UserRight-248	Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'	Compliant	True
UserRight-249	Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'	The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\Local account	False
UserRight-428	Ensure 'SeTrustedCredManAccessPrivilege' is set to ''	Compliant	True
UserRight-429	Ensure 'SeRemoteInteractiveLogonRight' is set to 'S-1-5-32-544'	The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\Remote Desktop Users	False

Account Policies-↑

Id	Task	Message	Status
AccountPolicy-309	Ensure 'MinimumPasswordLength' is set to '14'.	'MinimumPasswordLength' currently set to: 0. Expected: 14	False
AccountPolicy-310	Ensure 'PasswordComplexity' is set to '1'.	Compliant	True
AccountPolicy-311	Ensure 'PasswordHistorySize' is set to '24'.	'PasswordHistorySize' currently set to: 0. Expected: 24	False
AccountPolicy-312	Ensure 'LockoutBadCount' is set to '10'.	'LockoutBadCount' currently set to: 0. Expected: 10	False
AccountPolicy-313	Ensure 'ResetLockoutCount' is set to '15'.	Currently not set.	False
AccountPolicy-314	Ensure 'LockoutDuration' is set to '15'.	Currently not set.	False
AccountPolicy-315	Ensure 'ClearTextPassword' is set to '0'.	Compliant	True

Advanced Audit Policy Configuration-↑

Id	Task	Message	Status
AuditPolicy-250	Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.	Set to: Success	False
AuditPolicy-251	Ensure 'Security Group Management' is set to 'Success'.	Compliant	True
AuditPolicy-252	Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.	Set to: Success	False
AuditPolicy-253	Ensure 'Plug and Play Events' is set to 'Success'.	Set to: No Auditing	False
AuditPolicy-254	Ensure 'Process Creation' is set to 'Success'.	Set to: No Auditing	False
AuditPolicy-255	Ensure 'Account Lockout' is set to 'Failure'.	Set to: Success	False
AuditPolicy-256	Ensure 'Group Membership' is set to 'Success'.	Set to: No Auditing	False
AuditPolicy-257	Ensure 'Logon' is set to 'Success' and is set to 'Failure'.	Compliant	True
AuditPolicy-258	Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-259	Ensure 'Special Logon' is set to 'Success'.	Compliant	True
AuditPolicy-260	Ensure 'Detailed File Share' is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-261	Ensure 'File Share' is set to 'Success' and is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-262	Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-263	Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-264	Ensure 'Audit Policy Change' is set to 'Success'.	Compliant	True
AuditPolicy-265	Ensure 'Authentication Policy Change' is set to 'Success'.	Compliant	True
AuditPolicy-266	Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-267	Ensure 'Other Policy Change Events' is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-268	Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.	Set to: No Auditing	False
AuditPolicy-269	Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.	Compliant	True
AuditPolicy-270	Ensure 'Security State Change' is set to 'Success'.	Compliant	True
AuditPolicy-271	Ensure 'Security System Extension' is set to 'Success'.	Set to: No Auditing	False
AuditPolicy-272	Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.	Compliant	True
AuditPolicy-449	Ensure 'Kerberos Authentication Service' is set to 'Success' and is set to 'Failure'.	Set to: Success	False
AuditPolicy-450	Ensure 'Kerberos Service Ticket Operations' is set to 'Failure'.	Set to: Success	False
AuditPolicy-451	Ensure 'Computer Account Management' is set to 'Success'.	Compliant	True
AuditPolicy-452	Ensure 'Other Account Management Events' is set to 'Success'.	Set to: No Auditing	False
AuditPolicy-457	Ensure 'Directory Service Access' is set to 'Failure'.	Set to: Success	False
AuditPolicy-458	Ensure 'Directory Service Changes' is set to 'Success'.	Set to: No Auditing	False

CIS Benchmarks-↑

This section contains all benchmarks from CIS

Registry Settings/Group Policies-↑

Id	Task	Message	Status
1.1.6	(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'	Registry value not found.	False
2.3.1.2	(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Registry value not found.	False
2.3.1.4	(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'	Compliant	True
2.3.2.1	(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'	Registry value not found.	False
2.3.2.2	(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'	Compliant	True
2.3.4.1	(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'	Registry value not found.	False
2.3.4.2	(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'	Compliant	True
2.3.5.1	(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)	Registry value not found.	False
2.3.5.2	(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)	Compliant. Registry value not found.	True
2.3.5.3	(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)	Registry key not found.	False
2.3.5.4	(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)	Registry key not found.	False
2.3.5.5	(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)	Registry value not found.	False
2.3.6.1	(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'	Compliant	True
2.3.6.2	(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'	Compliant	True
2.3.6.3	(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'	Compliant	True
2.3.6.4	(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'	Compliant	True
2.3.6.5	(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'	Compliant	True
2.3.6.6	(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'	Compliant	True
2.3.7.1	(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'	Compliant	True
2.3.7.2	(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'	Registry value is '0'. Expected: 1	False
2.3.7.3	(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'	Registry value not found.	False
2.3.7.4	(L1) Configure 'Interactive logon: Message text for users attempting to log on'	Compliant	True
2.3.7.5	(L1) Configure 'Interactive logon: Message title for users attempting to log on'	Registry value is ''. Expected: Matching expression '.+'	False
2.3.7.6	(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)	Registry value is '10'. Expected: Matching expression '^[43210]$'	False
2.3.7.7	(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'	Compliant	True
2.3.7.8	(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)	Registry value is '0'. Expected: 1	False
2.3.7.9	(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher	Registry value is '0'. Expected: Matching expression '^(1\|2\|3)$'	False
2.3.8.1	(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'	Registry value is '0'. Expected: 1	False
2.3.8.2	(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'	Compliant	True
2.3.8.3	(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'	Compliant	True
2.3.9.1	(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'	Compliant	True
2.3.9.2	(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'	Registry value is '0'. Expected: 1	False
2.3.9.3	(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'	Registry value is '0'. Expected: 1	False
2.3.9.4	(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Compliant	True
2.3.9.5	(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)	Registry value not found.	False
2.3.10.1	(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'	Registry value not found.	False
2.3.10.2	(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)	Compliant	True
2.3.10.3	(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)	Registry value is '0'. Expected: 1	False
2.3.10.4	(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'	Registry value is '0'. Expected: 1	False
2.3.10.5	(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'	Compliant	True
2.3.10.6	(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)	Registry value is ''. Expected: LSARPC NETLOGON SAMR	False
2.3.10.7	(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)	Compliant	True
2.3.10.8	(L1) Configure 'Network access: Remotely accessible registry paths' is configured	Compliant	True
2.3.10.9	(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured	Registry value is 'System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\WINS	False
2.3.10.10	(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'	Compliant	True
2.3.10.11	(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)	Registry value not found.	False
2.3.10.12	(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'	Compliant. Registry value not found.	True
2.3.10.13	(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'	Compliant	True
2.3.11.1	(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'	Registry value not found.	False
2.3.11.2	(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'	Registry value not found.	False
2.3.11.3	(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Registry key not found.	False
2.3.11.4	(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'	Registry key not found.	False
2.3.11.5	(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Compliant	True
2.3.11.7	(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'	Registry value not found.	False
2.3.11.8	(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher	Compliant	True
2.3.11.9	(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'	Registry value is '536870912'. Expected: 537395200	False
2.3.11.10	(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'	Registry value is '536870912'. Expected: 537395200	False
2.3.13.1	(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'	Compliant	True
2.3.15.1	(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'	Compliant	True
2.3.15.2	(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'	Compliant	True
2.3.17.1	(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'	Registry value not found.	False
2.3.17.2	(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'	Registry value is '5'. Expected: 2	False
2.3.17.3	(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'	Registry value is '3'. Expected: 0	False
2.3.17.4	(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'	Compliant	True
2.3.17.5	(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'	Compliant	True
2.3.17.6	(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'	Compliant	True
2.3.17.7	(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'	Compliant	True
2.3.17.8	(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'	Compliant	True
5.1	(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)	Registry value is '2'. Expected: x == 4	False
5.2	(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)	Registry value is '2'. Expected: 4	False
9.1.1	(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'	Registry key not found.	False
9.1.2	(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'	Registry key not found.	False
9.1.3	(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'	Registry key not found.	False
9.1.4	(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'	Registry key not found.	False
9.1.5	(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'	Registry key not found.	False
9.1.6	(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'	Registry key not found.	False
9.1.7	(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'	Registry key not found.	False
9.1.8	(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'	Registry key not found.	False
9.2.1	(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'	Registry key not found.	False
9.2.2	(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'	Registry key not found.	False
9.2.3	(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'	Registry key not found.	False
9.2.4	(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'	Registry key not found.	False
9.2.5	(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'	Registry key not found.	False
9.2.6	(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'	Registry key not found.	False
9.2.7	(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'	Registry key not found.	False
9.2.8	(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'	Registry key not found.	False
9.3.1	(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'	Registry key not found.	False
9.3.2	(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'	Registry key not found.	False
9.3.3	(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'	Registry key not found.	False
9.3.4	(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'	Registry key not found.	False
9.3.5	(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'	Registry key not found.	False
9.3.6	(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'	Registry key not found.	False
9.3.7	(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'	Registry key not found.	False
9.3.8	(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'	Registry key not found.	False
9.3.9	(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'	Registry key not found.	False
9.3.10	(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'	Registry key not found.	False
18.1.1.1	(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'	Registry key not found.	False
18.1.1.2	(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'	Registry key not found.	False
18.1.2.2	(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'	Registry key not found.	False
18.1.3	(L2) Ensure 'Allow Online Tips' is set to 'Disabled'	Registry value not found.	False
18.2.2	(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Registry key not found.	False
18.2.3	(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)	Registry key not found.	False
18.2.4	(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)	Registry key not found.	False
18.2.5	(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)	Registry key not found.	False
18.2.6	(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)	Registry key not found.	False
18.3.1	(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)	Registry value not found.	False
18.3.2	(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'	Registry key not found.	False
18.3.3	(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'	Registry value not found.	False
18.3.4	(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'	Compliant	True
18.3.5	(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)	Registry key not found.	False
18.3.6	(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'	Registry value not found.	False
18.3.7	(L1) Ensure 'WDigest Authentication' is set to 'Disabled'	Registry value not found.	False
18.4.1	(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'	Registry value not found.	False
18.4.2	(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'	Registry value not found.	False
18.4.3	(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'	Registry value not found.	False
18.4.4	(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'	Registry value not found.	False
18.4.5	(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'	Registry value not found.	False
18.4.6	(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Registry value not found.	False
18.4.7	(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'	Registry value not found.	False
18.4.8	(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'	Registry value not found.	False
18.4.9	(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'	Registry value not found.	False
18.4.10	(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'	Registry value not found.	False
18.4.11	(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'	Registry value not found.	False
18.4.12	(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'	Registry value not found.	False
18.5.4.1	(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher	Registry key not found.	False
18.5.4.2	(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'	Registry key not found.	False
18.5.5.1	(L2) Ensure 'Enable Font Providers' is set to 'Disabled'	Registry value not found.	False
18.5.8.1	(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'	Registry key not found.	False
18.5.9.1 A	(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (AllowLLTDIOOnDomain)	Registry key not found.	False
18.5.9.1 B	(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (AllowLLTDIOOnPublicNet)	Registry key not found.	False
18.5.9.1 C	(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)	Registry key not found.	False
18.5.9.1 D	(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (ProhibitLLTDIOOnPrivateNet)	Registry key not found.	False
18.5.9.2 A	(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnDomain)	Registry key not found.	False
18.5.9.2 B	(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnPublicNet)	Registry key not found.	False
18.5.9.2 C	(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)	Registry key not found.	False
18.5.9.2 D	(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (ProhibitRspndrOnPrivateNet)	Registry key not found.	False
18.5.10.2	(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'	Registry key not found.	False
18.5.11.2	(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'	Registry value not found.	False
18.5.11.3	(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'	Registry value not found.	False
18.5.11.4	(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'	Registry value not found.	False
18.5.14.1 A	(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)	Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1	False
18.5.14.1 B	(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)	Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1	False
18.5.19.2.1	(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')	Registry value not found.	False
18.5.20.1 A	(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)	Registry key not found.	False
18.5.20.1 B	(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)	Registry key not found.	False
18.5.20.1 C	(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)	Registry key not found.	False
18.5.20.1 D	(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)	Registry key not found.	False
18.5.20.1 E	(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)	Registry key not found.	False
18.5.20.2	(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'	Registry key not found.	False
18.5.21.1	(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'	Registry value not found.	False
18.5.21.2	(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)	Registry value not found.	False
18.6.1	(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'	Registry key not found.	False
18.6.2	(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'	Registry key not found.	False
18.6.3	(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'	Registry key not found.	False
18.7.1.1	(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'	Registry key not found.	False
18.8.3.1	(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'	Registry value not found.	False
18.8.4.1	(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'	Registry key not found.	False
18.8.4.2	(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'	Registry key not found.	False
18.8.5.1	(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'	Registry key not found.	False
18.8.5.2	(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'	Registry key not found.	False
18.8.5.3	(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'	Registry key not found.	False
18.8.5.4	(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'	Registry key not found.	False
18.8.5.5	(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)	Registry key not found.	False
18.8.5.6	(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)	Registry key not found.	False
18.8.5.7	(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'	Registry key not found.	False
18.8.7.2	(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated)	Registry key not found.	False
18.8.14.1	(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'	Registry key not found.	False
18.8.21.2	(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'	Registry key not found.	False
18.8.21.3	(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'	Registry key not found.	False
18.8.21.4	(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'	Registry value not found.	False
18.8.21.5	(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'	Registry value not found.	False
18.8.22.1.1	(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.2	(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.3	(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.4	(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.5	(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'	Registry value not found.	False
18.8.22.1.6	(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.7	(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.8	(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.9	(L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'	Registry value not found.	False
18.8.22.1.10	(L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'	Registry value not found.	False
18.8.22.1.11	(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.12	(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'	Registry key not found.	False
18.8.22.1.13 A	(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)	Registry key not found.	False
18.8.22.1.13 B	(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)	Registry key not found.	False
18.8.25.1 A	(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)	Registry key not found.	False
18.8.25.1 B	(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)	Registry key not found.	False
18.8.26.1	(L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'	Registry key not found.	False
18.8.27.1	(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'	Registry key not found.	False
18.8.28.1	(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'	Registry value not found.	False
18.8.28.2	(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'	Registry value not found.	False
18.8.28.3	(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'	Registry value not found.	False
18.8.28.4	(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)	Registry value not found.	False
18.8.28.5	(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'	Registry value not found.	False
18.8.28.6	(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'	Registry value not found.	False
18.8.28.7	(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'	Registry value not found.	False
18.8.31.1	(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'	Registry value not found.	False
18.8.31.2	(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'	Registry value not found.	False
18.8.34.6.1	(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'	Registry key not found.	False
18.8.34.6.2	(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'	Registry key not found.	False
18.8.34.6.3	(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'	Registry key not found.	False
18.8.34.6.4	(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'	Registry key not found.	False
18.8.36.1	(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'	Registry value not found.	False
18.8.36.2	(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'	Registry value not found.	False
18.8.37.1	(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)	Registry key not found.	False
18.8.37.2	(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)	Registry key not found.	False
18.8.40.1	(L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only)	Registry key not found.	False
18.8.48.5.1	(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'	Registry key not found.	False
18.8.48.11.1	(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'	Registry key not found.	False
18.8.50.1	(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'	Registry key not found.	False
18.8.53.1.1	(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'	Registry key not found.	False
18.8.53.1.2	(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)	Registry key not found.	False
18.9.4.1	(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'	Registry key not found.	False
18.9.6.1	(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Registry value not found.	False
18.9.8.1	(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'	Registry key not found.	False
18.9.8.2	(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'	Registry value not found.	False
18.9.8.3	(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'	Registry value not found.	False
18.9.10.1.1	(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'	Registry key not found.	False
18.9.12.1	(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'	Registry key not found.	False
18.9.14.1	(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'	Registry key not found.	False
18.9.14.2	(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'	Registry key not found.	False
18.9.15.1	(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'	Registry key not found.	False
18.9.16.1	(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'	Registry key not found.	False
18.9.16.2	(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'	Registry key not found.	False
18.9.17.1	(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'	Registry value not found.	False
18.9.17.2	(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'	Registry value not found.	False
18.9.17.3	(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'	Registry value not found.	False
18.9.17.4	(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'	Registry value not found.	False
18.9.17.5	(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'	Registry key not found.	False
18.9.17.6	(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'	Registry value not found.	False
18.9.17.7	(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'	Registry value not found.	False
18.9.17.8	(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'	Registry key not found.	False
18.9.27.1.1	(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Registry key not found.	False
18.9.27.1.2	(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'	Registry key not found.	False
18.9.27.2.1	(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Registry key not found.	False
18.9.27.2.2	(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'	Registry key not found.	False
18.9.27.3.1	(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Registry key not found.	False
18.9.27.3.2	(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'	Registry key not found.	False
18.9.27.4.1	(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'	Registry key not found.	False
18.9.27.4.2	(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'	Registry key not found.	False
18.9.31.2	(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'	Registry key not found.	False
18.9.31.3	(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'	Registry key not found.	False
18.9.31.4	(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'	Registry value not found.	False
18.9.41.1	(L2) Ensure 'Turn off location' is set to 'Enabled'	Registry key not found.	False
18.9.45.1	(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'	Registry key not found.	False
18.9.46.1	(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'	Registry key not found.	False
18.9.47.4.1	(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'	Registry key not found.	False
18.9.47.4.2	(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'	Compliant. Registry key not found.	True
18.9.47.5.1.1	(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'	Registry value not found.	False
18.9.47.5.1.2 A	(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes' is configured	Registry key not found.	False
18.9.47.5.1.2 B	(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content' is configured	Registry key not found.	False
18.9.47.5.1.2 C	(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts' is configured	Registry key not found.	False
18.9.47.5.1.2 D	(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configured	Registry key not found.	False
18.9.47.5.1.2 E	(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes' is configured	Registry key not found.	False
18.9.47.5.1.2 F	(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro' is configured	Registry key not found.	False
18.9.47.5.1.2 G	(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe))' is configured	Registry key not found.	False
18.9.47.5.1.2 H	(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB' is configured	Registry key not found.	False
18.9.47.5.1.2 I	(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail' is configured	Registry key not found.	False
18.9.47.5.1.2 J	(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content' is configured	Registry key not found.	False
18.9.47.5.1.2 K	(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes' is configured	Registry key not found.	False
18.9.47.5.1.2 L	(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription' is configured	Registry key not found.	False
18.9.47.5.3.1	(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'	Registry key not found.	False
18.9.47.6.1	(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'	Registry key not found.	False
18.9.47.9.1	(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'	Registry key not found.	False
18.9.47.9.2	(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'	Registry key not found.	False
18.9.47.9.3	(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'	Registry key not found.	False
18.9.47.9.4	(L1) Ensure 'Turn on script scanning' is set to 'Enabled'	Registry key not found.	False
18.9.47.11.1	(L2) Ensure 'Configure Watson events' is set to 'Disabled'	Registry key not found.	False
18.9.47.12.1	(L1) Ensure 'Scan removable drives' is set to 'Enabled'	Registry key not found.	False
18.9.47.12.2	(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'	Registry key not found.	False
18.9.47.15	(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'	Registry key not found.	False
18.9.47.16	(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'	Registry key not found.	False
18.9.58.1	(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'	Registry key not found.	False
18.9.64.1	(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'	Registry key not found.	False
18.9.65.2.2	(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.2.1	(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.3.1	(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'	Registry value not found.	False
18.9.65.3.3.2	(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.3.3	(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.3.4	(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.3.5	(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.3.6	(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.9.1	(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.9.2	(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.9.3	(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'	Registry value not found.	False
18.9.65.3.9.4	(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'	Registry value not found.	False
18.9.65.3.9.5	(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'	Registry value not found.	False
18.9.65.3.10.1	(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'	Registry value not found.	False
18.9.65.3.10.2	(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'	Registry value not found.	False
18.9.65.3.11.1	(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'	Registry value not found.	False
18.9.65.3.11.2	(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'	Registry value not found.	False
18.9.66.1	(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'	Registry key not found.	False
18.9.67.2	(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'	Compliant. Registry key not found.	True
18.9.67.3	(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'	Registry key not found.	False
18.9.72.1	(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'	Registry key not found.	False
18.9.85.1.1 A	(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)	Registry value not found.	False
18.9.85.1.1 B	(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)	Registry value not found.	False
18.9.89.1	(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'	Registry key not found.	False
18.9.89.2	(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'	Registry key not found.	False
18.9.90.1	(L1) Ensure 'Allow user control over installs' is set to 'Disabled'	Registry key not found.	False
18.9.90.2	(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (LocalMachine)	Registry key not found.	False
18.9.90.3	(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'	Registry key not found.	False
18.9.91.1	(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'	Compliant	True
18.9.100.1	(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'	Registry key not found.	False
18.9.100.2	(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'	Registry key not found.	False
18.9.102.1.1	(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)	Registry key not found.	False
18.9.102.1.2	(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)	Registry key not found.	False
18.9.102.1.3	(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'	Registry key not found.	False
18.9.102.2.1	(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)	Registry key not found.	False
18.9.102.2.2	(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'	Registry key not found.	False
18.9.102.2.3	(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)	Registry key not found.	False
18.9.102.2.4	(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'	Registry key not found.	False
18.9.103.1	(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Registry key not found.	False
18.9.105.2.1	(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'	Registry key not found.	False
18.9.108.1.1	(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'	Registry value not found.	False
18.9.108.2 A	(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'	Registry value not found.	False
18.9.108.2.2	(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'	Registry value not found.	False
18.9.108.4.1	(L1) Ensure 'Manage preview builds' is set to 'Disabled'	Registry value not found.	False
18.9.108.4.2 A	(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdates)	Registry value not found.	False
18.9.108.4.2 B	(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays)	Registry value not found.	False
18.9.108.4.3 A	(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)	Registry value not found.	False
18.9.108.4.3 B	(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)	Registry value not found.	False
19.1.3.1	(L1) Ensure 'Enable screen saver' is set to 'Enabled'	Registry key not found.	False
19.1.3.2	(L1) Ensure 'Password protect the screen saver' is set to 'Enabled'	Registry key not found.	False
19.1.3.3	(L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'	Registry key not found.	False
19.5.1.1	(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'	Registry key not found.	False
19.6.6.1.1	(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'	Registry key not found.	False
19.7.4.1	(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'	Registry key not found.	False
19.7.4.2	(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'	Registry key not found.	False
19.7.8.1	(L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'	Registry value not found.	False
19.7.8.2	(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'	Registry value not found.	False
19.7.8.3	(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'	Registry value not found.	False
19.7.8.4	(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'	Registry value not found.	False
19.7.8.5	(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'	Registry value not found.	False
19.7.28.1	(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'	Registry key not found.	False
19.7.43.1	(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)	Registry key not found.	False
19.7.47.2.1	(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'	Registry key not found.	False

User Rights Assignment-↑

Id	Task	Message	Status
2.2.1	(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Compliant	True
2.2.2	(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)	The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	False
2.2.3	(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)	The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Authenticated Users	False
2.2.4	(L1) Ensure 'Act as part of the operating system' is set to 'No One'	Compliant	True
2.2.5	(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)	The user 'SeMachineAccountPrivilege' setting does not contain the following users: BUILTIN\Administrators	False
2.2.6	(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'	Compliant	True
2.2.7	(L1) Ensure 'Allow log on locally' is set to 'Administrators'	The user right 'SeInteractiveLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators	False
2.2.8	(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)	The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\Remote Desktop Users	False
2.2.9	(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)	Compliant	True
2.2.10	(L1) Ensure 'Back up files and directories' is set to 'Administrators'	The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators	False
2.2.11	(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'	Compliant	True
2.2.12	(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'	Compliant	True
2.2.13	(L1) Ensure 'Create a pagefile' is set to 'Administrators'	Compliant	True
2.2.14	(L1) Ensure 'Create a token object' is set to 'No One'	Compliant	True
2.2.15	(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'	Compliant	True
2.2.16	(L1) Ensure 'Create permanent shared objects' is set to 'No One'	Compliant	True
2.2.17	(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)	Compliant	True
2.2.18 A	(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)[Hyper-V-Feature NOT installed]	Compliant	True
2.2.18 B	(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)[Hyper-V-Feature installed]	Compliant	True
2.2.19	(L1) Ensure 'Debug programs' is set to 'Administrators'	Compliant	True
2.2.20	(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)	The user 'SeDenyNetworkLogonRight' setting does not contain the following users: BUILTIN\Guests	False
2.2.21	(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)	The user 'SeDenyNetworkLogonRight' setting does not contain the following users: BUILTIN\Guests, NT AUTHORITY\Local account and member of Administrators group	False
2.2.22	(L1) Ensure 'Deny log on as a batch job' to include 'Guests'	The user 'SeDenyBatchLogonRight' setting does not contain the following users: BUILTIN\Guests	False
2.2.23	(L1) Ensure 'Deny log on as a service' to include 'Guests'	The user 'SeDenyServiceLogonRight' setting does not contain the following users: BUILTIN\Guests	False
2.2.24	(L1) Ensure 'Deny log on locally' to include 'Guests'	The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests	False
2.2.25	(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)	The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests	False
2.2.26	(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)	The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests, NT AUTHORITY\Local account	False
2.2.27	(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)	The user 'SeEnableDelegationPrivilege' setting does not contain the following users: BUILTIN\Administrators	False
2.2.28	(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)	Compliant	True
2.2.29	(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'	Compliant	True
2.2.30 A	(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (ADFS-ROLE NOT installed)	Compliant	True
2.2.30 B	(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (ADFS-ROLE installed)	The user 'SeAuditPrivilege' setting does not contain the following users: Orphaned Account, Orphaned Account	False
2.2.31	(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)	The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRS	False
2.2.32 A	(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (IIS Role NOT installed) (MS only)	The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRS	False
2.2.32 B	(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' (IIS Role installed) (MS only)	Compliant	True
2.2.33	(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'	Compliant	True
2.2.34	(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'	Compliant	True
2.2.35	(L1) Ensure 'Lock pages in memory' is set to 'No One'	Compliant	True
2.2.36	(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)	The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users, BUILTIN\IIS_IUSRS	False
2.2.37	(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)	Compliant	True
2.2.38	(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)	Compliant	True
2.2.39	(L1) Ensure 'Modify an object label' is set to 'No One'	Compliant	True
2.2.40	(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'	Compliant	True
2.2.41	(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'	Compliant	True
2.2.42	(L1) Ensure 'Profile single process' is set to 'Administrators'	Compliant	True
2.2.43	(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'	Compliant	True
2.2.44	(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'	Compliant	True
2.2.45	(L1) Ensure 'Restore files and directories' is set to 'Administrators'	The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators	False
2.2.46	(L1) Ensure 'Shut down the system' is set to 'Administrators'	The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators	False
2.2.47	(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)	Compliant	True
2.2.48	(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'	Compliant	True

Account Policies-↑

Id	Task	Message	Status
1.1.1	(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'	'PasswordHistorySize' currently set to: 0. Expected: x >= 24	False
1.1.2	(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'	Compliant	True
1.1.3	(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'	'MinimumPasswordAge' currently set to: 0. Expected: x >= 1 days	False
1.1.4	(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'	'MinimumPasswordLength' currently set to: 0. Expected: x >= 14	False
1.1.5	(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'	Compliant	True
1.1.7	(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Compliant	True
1.2.1	(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Currently not set.	False
1.2.2	(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'	'LockoutBadCount' currently set to: 0. Expected: x <= 5 and x > 0	False
1.2.3	(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Currently not set.	False

Advanced Audit Policy Configuration-↑

Id	Task	Message	Status
17.1.1	(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Set to: Success	False
17.1.2	(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Set to: Success	False
17.1.3	(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Set to: Success	False
17.2.1	(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'	Set to: No Auditing	False
17.2.2	(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)	Compliant	True
17.2.3	(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)	Set to: No Auditing	False
17.2.4	(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)	Set to: No Auditing	False
17.2.5	(L1) Ensure 'Audit Security Group Management' is set to include 'Success'	Compliant	True
17.2.6	(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'	Set to: Success	False
17.3.1	(L1) Ensure 'Audit PNP Activity' is set to include 'Success'	Set to: No Auditing	False
17.3.2	(L1) Ensure 'Audit Process Creation' is set to include 'Success'	Set to: No Auditing	False
17.4.1	(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)	Set to: Success	False
17.4.2	(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)	Set to: No Auditing	False
17.5.1	(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'	Set to: Success	False
17.5.2	(L1) Ensure 'Audit Group Membership' is set to include 'Success'	Set to: No Auditing	False
17.5.3	(L1) Ensure 'Audit Logoff' is set to include 'Success'	Compliant	True
17.5.4	(L1) Ensure 'Audit Logon' is set to 'Success and Failure'	Compliant	True
17.5.5	(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Set to: No Auditing	False
17.5.6	(L1) Ensure 'Audit Special Logon' is set to include 'Success'	Compliant	True
17.6.1	(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'	Set to: No Auditing	False
17.6.2	(L1) Ensure 'Audit File Share' is set to 'Success and Failure'	Set to: No Auditing	False
17.6.3	(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'	Set to: No Auditing	False
17.6.4	(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'	Set to: No Auditing	False
17.7.1	(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'	Compliant	True
17.7.2	(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'	Compliant	True
17.7.3	(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'	Set to: No Auditing	False
17.7.4	(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'	Set to: No Auditing	False
17.7.5	(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'	Set to: No Auditing	False
17.8.1	(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'	Set to: No Auditing	False
17.9.1	(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'	Set to: No Auditing	False
17.9.2	(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'	Compliant	True
17.9.3	(L1) Ensure 'Audit Security State Change' is set to include 'Success'	Compliant	True
17.9.4	(L1) Ensure 'Audit Security System Extension' is set to include 'Success'	Set to: No Auditing	False
17.9.5	(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'	Compliant	True

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

Security baseline for Microsoft Windows Server 2022, Version: FINAL, Date 2021-09-27
CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14

This report was generated on 09/05/2022 05:26:18 on WIN-T74AI7HCI62 with ATAPHtmlReport version 1.8.

System information

Hostname	WIN-T74AI7HCI62
Domain role	Standalone Server
Operating System	Microsoft Windows Server 2022 Standard Evaluation
Build Number	20348
Installation Language	English (United States)
Free disk space (GB)	7.9
Free physical memory (GB)	20.3% (0.8 GB / 4.1 GB)

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical

High

Medium

Low

Critical

High

Medium

Low

A total of 857 tests have been executed.

True 144 test(s) ≙ 16.80%
False 711 test(s) ≙ 82.96%
Warning 1 test(s) ≙ 0.12%
None 1 test(s) ≙ 0.12%
Error 0 test(s) ≙ 0.00%

General Benchmarks

A total of 22 tests have been executed in section General Benchmarks.

True 6 test(s) ≙ 27.27%
False 14 test(s) ≙ 63.64%
Warning 1 test(s) ≙ 4.55%
None 1 test(s) ≙ 4.55%
Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 404 tests have been executed in section Microsoft Benchmarks.

True 56 test(s) ≙ 13.86%
False 348 test(s) ≙ 86.14%
Warning 0 test(s) ≙ 0.00%
None 0 test(s) ≙ 0.00%
Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 431 tests have been executed in section CIS Benchmarks.

True 82 test(s) ≙ 19.03%
False 349 test(s) ≙ 80.97%
Warning 0 test(s) ≙ 0.00%
None 0 test(s) ≙ 0.00%
Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical

High

Medium

Low

Critical

High

Medium

Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)	Risk Assessment
More than 85%	Low
Between 70% and 85%	Medium
Between 55% and 70%	High
Less than 55%	Critical

Compliance to Benchmarks (Severity)	Risk Assessment
All critical settings compliant	Low
1 or more incompliant setting(s)	Critical

Severity Compliance

Id	Task	Status
1.1.7	(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	True
2.2.38	(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)	True
2.3.5.2	(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)	None
2.3.5.2	(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)	None
2.3.11.4	(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'	False
2.3.11.5	(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	True
7.9 A	(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)	False
7.9 B	(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)	False
7.9 C	(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)	False
7.9 D	(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)	False
9.1.7	(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'	False
9.1.8	(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'	False
18.3.3	(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'	False
18.3.3	(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'	False
18.3.6	(L1) Ensure 'WDigest Authentication' is set to 'Disabled'	False
18.6.2	(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'	False
18.6.3	(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'	False
18.9.47.9.2	(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'	False
18.9.47.5.1.2 A	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)	False
18.9.47.5.1.2 B	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)	False
18.9.47.5.1.2 C	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)	False
18.9.47.5.1.2 D	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)	False
18.9.47.5.1.2 E	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)	False
18.9.47.5.1.2 F	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)	False
18.9.47.5.1.2 G	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))	False
18.9.47.5.1.2 H	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)	False
18.9.47.5.1.2 I	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)	False
18.9.47.5.1.2 J	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)	False
18.9.47.5.1.2 K	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)	False
18.9.47.5.1.2 L	(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)	False
18.9.48.11	Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'	False
18.9.58.3.10.1	(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'	False
18.9.58.3.10.2	(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'	False

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Windows Server 2022 Audit Report

Settings Overview

Table Of Content

General Benchmarks-↑

Security Base Data-↑

Microsoft Benchmarks-↑

Registry Settings/Group Policies-↑

User Rights Assignment-↑

Account Policies-↑

Advanced Audit Policy Configuration-↑

CIS Benchmarks-↑

Registry Settings/Group Policies-↑

User Rights Assignment-↑

Account Policies-↑

Advanced Audit Policy Configuration-↑

Benchmark Compliance

System information

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

General Benchmarks

Microsoft Benchmarks

CIS Benchmarks

Risk Score

Current Risk Score on tested System:

Risk Score Calculation

About us

What makes FB Pro GmbH different

What do we want?

How we achieve this?

Check out our hardening solution

Check out our Audit Report Tool here