$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
[AuditTest] @{
Id = "V-63321"
Task = "Users must be prevented from changing installation options."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" `
-Name "EnableUserControl" `
| Select-Object -ExpandProperty "EnableUserControl"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63325"
Task = "The Windows Installer Always install with elevated privileges must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" `
-Name "AlwaysInstallElevated" `
| Select-Object -ExpandProperty "AlwaysInstallElevated"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63329"
Task = "Users must be notified if a web-based program attempts to install software."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" `
-Name "SafeForScripting" `
| Select-Object -ExpandProperty "SafeForScripting"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63333"
Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "DisableAutomaticRestartSignOn" `
| Select-Object -ExpandProperty "DisableAutomaticRestartSignOn"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63335"
Task = "The Windows Remote Management (WinRM) client must not use Basic authentication."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" `
-Name "AllowBasic" `
| Select-Object -ExpandProperty "AllowBasic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63339"
Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" `
-Name "AllowUnencryptedTraffic" `
| Select-Object -ExpandProperty "AllowUnencryptedTraffic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63341"
Task = "The Windows Remote Management (WinRM) client must not use Digest authentication."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" `
-Name "AllowDigest" `
| Select-Object -ExpandProperty "AllowDigest"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63347"
Task = "The Windows Remote Management (WinRM) service must not use Basic authentication."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" `
-Name "AllowBasic" `
| Select-Object -ExpandProperty "AllowBasic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63369"
Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" `
-Name "AllowUnencryptedTraffic" `
| Select-Object -ExpandProperty "AllowUnencryptedTraffic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63375"
Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" `
-Name "DisableRunAs" `
| Select-Object -ExpandProperty "DisableRunAs"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63519"
Task = "The Application event log size must be configured to 32768 KB or greater."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if ($regValue -lt 32768) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63523"
Task = "The Security event log size must be configured to 1024000 KB or greater."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if ($regValue -lt 1024000) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 1024000"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63527"
Task = "The System event log size must be configured to 32768 KB or greater."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if ($regValue -lt 32768) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63545"
Task = "Camera access from the lock screen must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" `
-Name "NoLockScreenCamera" `
| Select-Object -ExpandProperty "NoLockScreenCamera"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63549"
Task = "The display of slide shows on the lock screen must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" `
-Name "NoLockScreenSlideshow" `
| Select-Object -ExpandProperty "NoLockScreenSlideshow"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63555"
Task = "IPv6 source routing must be configured to highest protection."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" `
-Name "DisableIpSourceRouting" `
| Select-Object -ExpandProperty "DisableIpSourceRouting"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63559"
Task = "The system must be configured to prevent IP source routing."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" `
-Name "DisableIPSourceRouting" `
| Select-Object -ExpandProperty "DisableIPSourceRouting"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63563"
Task = "The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" `
-Name "EnableICMPRedirect" `
| Select-Object -ExpandProperty "EnableICMPRedirect"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63567"
Task = "The system must be configured to ignore NetBIOS name release requests except from WINS servers."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" `
-Name "NoNameReleaseOnDemand" `
| Select-Object -ExpandProperty "NoNameReleaseOnDemand"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63569"
Task = "Insecure logons to an SMB server must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" `
-Name "AllowInsecureGuestAuth" `
| Select-Object -ExpandProperty "AllowInsecureGuestAuth"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63581"
Task = "Simultaneous connections to the Internet or a Windows domain must be limited."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" `
-Name "fMinimizeConnections" `
| Select-Object -ExpandProperty "fMinimizeConnections"
if ($null -eq $regValue -or 0 -eq $regValue) {
return @{
Message = "Registry value is '$regValue'. Expected: 1-3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63585"
Task = "Connections to non-domain networks when connected to a domain authenticated network must be blocked."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" `
-Name "fBlockNonDomain" `
| Select-Object -ExpandProperty "fBlockNonDomain"
if ($null -eq $regValue -or 0 -eq $regValue) {
return @{
Message = "Registry value is '$regValue'. Expected: 1-3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63591"
Task = "Wi-Fi Sense must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" `
-Name "AutoConnectAllowedOEM" `
| Select-Object -ExpandProperty "AutoConnectAllowedOEM"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63597"
Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "LocalAccountTokenFilterPolicy" `
| Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63607"
Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" `
-Name "DriverLoadPolicy" `
| Select-Object -ExpandProperty "DriverLoadPolicy"
if (($regValue -ne 1) -and ($regValue -ne 3) -and ($regValue -ne 8)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1 or x == 3 or x == 8"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63609"
Task = "Group Policy objects must be reprocessed even if they have not changed."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" `
-Name "NoGPOListChanges" `
| Select-Object -ExpandProperty "NoGPOListChanges"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63615"
Task = "Downloading print driver packages over HTTP must be prevented."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" `
-Name "DisableWebPnPDownload" `
| Select-Object -ExpandProperty "DisableWebPnPDownload"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63617"
Task = "Local accounts with blank passwords must be restricted to prevent access from the network."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "LimitBlankPasswordUse" `
| Select-Object -ExpandProperty "LimitBlankPasswordUse"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63621"
Task = "Web publishing and online ordering wizards must be prevented from downloading a list of providers."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
-Name "NoWebServices" `
| Select-Object -ExpandProperty "NoWebServices"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63623"
Task = "Printing over HTTP must be prevented."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" `
-Name "DisableHTTPPrinting" `
| Select-Object -ExpandProperty "DisableHTTPPrinting"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63627"
Task = "Systems must at least attempt device authentication using certificates."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" `
-Name "DevicePKInitEnabled" `
| Select-Object -ExpandProperty "DevicePKInitEnabled"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63629"
Task = "The network selection user interface (UI) must not be displayed on the logon screen."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" `
-Name "DontDisplayNetworkSelectionUI" `
| Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63633"
Task = "Local users on domain-joined computers must not be enumerated."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" `
-Name "EnumerateLocalUsers" `
| Select-Object -ExpandProperty "EnumerateLocalUsers"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63635"
Task = "Audit policy using subcategories must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "SCENoApplyLegacyAuditPolicy" `
| Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63639"
Task = "Outgoing secure channel traffic must be encrypted or signed."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "RequireSignOrSeal" `
| Select-Object -ExpandProperty "RequireSignOrSeal"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63643"
Task = "Outgoing secure channel traffic must be encrypted when possible."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "SealSecureChannel" `
| Select-Object -ExpandProperty "SealSecureChannel"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63645"
Task = "Users must be prompted for a password on resume from sleep (on battery)."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" `
-Name "DCSettingIndex" `
| Select-Object -ExpandProperty "DCSettingIndex"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63647"
Task = "Outgoing secure channel traffic must be signed when possible."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "SignSecureChannel" `
| Select-Object -ExpandProperty "SignSecureChannel"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63649"
Task = "The user must be prompted for a password on resume from sleep (plugged in)."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" `
-Name "ACSettingIndex" `
| Select-Object -ExpandProperty "ACSettingIndex"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63651"
Task = "Solicited Remote Assistance must not be allowed."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fAllowToGetHelp" `
| Select-Object -ExpandProperty "fAllowToGetHelp"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63653"
Task = "The computer account password must not be prevented from being reset."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "DisablePasswordChange" `
| Select-Object -ExpandProperty "DisablePasswordChange"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63657"
Task = "Unauthenticated RPC clients must be restricted from connecting to the RPC server."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" `
-Name "RestrictRemoteClients" `
| Select-Object -ExpandProperty "RestrictRemoteClients"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63659"
Task = "The setting to allow Microsoft accounts to be optional for modern style apps must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "MSAOptional" `
| Select-Object -ExpandProperty "MSAOptional"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63661"
Task = "The maximum age for machine account passwords must be configured to 30 days or less."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "MaximumPasswordAge" `
| Select-Object -ExpandProperty "MaximumPasswordAge"
if (($regValue -gt 30 -or $regValue -eq 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63663 A"
Task = "The Application Compatibility Program service must be disabled in order to prefent sending inventory data."
Test = {
try {
$status = get-service -name pcasvc -ErrorAction Stop
if($status.Status -ne "Stopped"){
return @{
Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)."
Status = "True"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
catch [System.SystemException]{
return @{
Message = "Service not found!"
Status = "True"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63663 B"
Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft."
Test = {
try {
$status = get-service -name pcasvc -ErrorAction Stop
if($status.Status -ne "Stopped"){
return @{
Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)."
Status = "True"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" `
-Name "DisableInventory" `
| Select-Object -ExpandProperty "DisableInventory"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
catch [System.SystemException]{
return @{
Message = "Service not found!"
Status = "True"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63665"
Task = "The system must be configured to require a strong session key."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "RequireStrongKey" `
| Select-Object -ExpandProperty "RequireStrongKey"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63667"
Task = "Autoplay must be turned off for non-volume devices."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" `
-Name "NoAutoplayfornonVolume" `
| Select-Object -ExpandProperty "NoAutoplayfornonVolume"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63669"
Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "InactivityTimeoutSecs" `
| Select-Object -ExpandProperty "InactivityTimeoutSecs"
if ($regValue -ne 900) {
return @{
Message = "Registry value is '$regValue'. Expected: 900"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63671"
Task = "The default autorun behavior must be configured to prevent autorun commands."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
-Name "NoAutorun" `
| Select-Object -ExpandProperty "NoAutorun"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63673"
Task = "Autoplay must be disabled for all drives."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" `
-Name "NoDriveTypeAutoRun" `
| Select-Object -ExpandProperty "NoDriveTypeAutoRun"
if ($regValue -ne 255) {
return @{
Message = "Registry value is '$regValue'. Expected: 255"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63677"
Task = "Enhanced anti-spoofing for facial recognition must be enabled on Window 10."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" `
-Name "EnhancedAntiSpoofing" `
| Select-Object -ExpandProperty "EnhancedAntiSpoofing"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63679"
Task = "Administrator accounts must not be enumerated during elevation."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" `
-Name "EnumerateAdministrators" `
| Select-Object -ExpandProperty "EnumerateAdministrators"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63689"
Task = "Explorer Data Execution Prevention must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" `
-Name "NoDataExecutionPrevention" `
| Select-Object -ExpandProperty "NoDataExecutionPrevention"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63691"
Task = "Turning off File Explorer heap termination on corruption must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" `
-Name "NoHeapTerminationOnCorruption" `
| Select-Object -ExpandProperty "NoHeapTerminationOnCorruption"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63695"
Task = "File Explorer shell protocol must run in protected mode."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
-Name "PreXPSP2ShellProtocolBehavior" `
| Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63699"
Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" `
-Name "PreventOverride" `
| Select-Object -ExpandProperty "PreventOverride"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63701"
Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" `
-Name "PreventOverrideAppRepUnknown" `
| Select-Object -ExpandProperty "PreventOverrideAppRepUnknown"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63703"
Task = "The Windows SMB client must be configured to always perform SMB packet signing."
Test = {
try {
if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){
return @{
Message = "RequireSecuritySignature is not set to True"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch {
try{
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
-Name "RequireSecuritySignature" `
| Select-Object -ExpandProperty "RequireSecuritySignature"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
}
}
}
[AuditTest] @{
Id = "V-63709"
Task = "The password manager function in the Edge browser must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" `
-Name "FormSuggest Passwords" `
| Select-Object -ExpandProperty "FormSuggest Passwords"
if ($regValue -ne "no") {
return @{
Message = "Registry value is '$regValue'. Expected: no"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63711"
Task = "Unencrypted passwords must not be sent to third-party SMB Servers."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
-Name "EnablePlainTextPassword" `
| Select-Object -ExpandProperty "EnablePlainTextPassword"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63713"
Task = "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" `
-Name "EnabledV9" `
| Select-Object -ExpandProperty "EnabledV9"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63717"
Task = "The use of a hardware security device with Windows Hello for Business must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" `
-Name "RequireSecurityDevice" `
| Select-Object -ExpandProperty "RequireSecurityDevice"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63719"
Task = "The Windows SMB server must be configured to always perform SMB packet signing."
Test = {
try {
if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){
return @{
Message = "RequireSecuritySignature is not set to True"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch {
try{
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" `
-Name "RequireSecuritySignature" `
| Select-Object -ExpandProperty "RequireSecuritySignature"
return @{
Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here"
Status = "Warning"
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
}
}
}
[AuditTest] @{
Id = "V-63721"
Task = "Windows 10 must be configured to require a minimum pin length of six characters or greater."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity" `
-Name "MinimumPINLength" `
| Select-Object -ExpandProperty "MinimumPINLength"
if (($regValue -lt 6)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 6"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63729"
Task = "Passwords must not be saved in the Remote Desktop Client."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "DisablePasswordSaving" `
| Select-Object -ExpandProperty "DisablePasswordSaving"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63731"
Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fDisableCdm" `
| Select-Object -ExpandProperty "fDisableCdm"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63733"
Task = "Remote Desktop Services must always prompt a client for passwords upon connection."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fPromptForPassword" `
| Select-Object -ExpandProperty "fPromptForPassword"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63737"
Task = "The Remote Desktop Session Host must require secure RPC communications."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fEncryptRPCTraffic" `
| Select-Object -ExpandProperty "fEncryptRPCTraffic"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63741"
Task = "Remote Desktop Services must be configured with the client connection encryption set to the required level."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "MinEncryptionLevel" `
| Select-Object -ExpandProperty "MinEncryptionLevel"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63743"
Task = "Attachments must be prevented from being downloaded from RSS feeds."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" `
-Name "DisableEnclosureDownload" `
| Select-Object -ExpandProperty "DisableEnclosureDownload"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63745"
Task = "Anonymous enumeration of SAM accounts must not be allowed."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "RestrictAnonymousSAM" `
| Select-Object -ExpandProperty "RestrictAnonymousSAM"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63747"
Task = "Basic authentication for RSS feeds over HTTP must not be used."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" `
-Name "AllowBasicAuthInClear" `
| Select-Object -ExpandProperty "AllowBasicAuthInClear"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63749"
Task = "Anonymous enumeration of shares must be restricted."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "RestrictAnonymous" `
| Select-Object -ExpandProperty "RestrictAnonymous"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63751"
Task = "Indexing of encrypted files must be turned off."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" `
-Name "AllowIndexingEncryptedStoresOrItems" `
| Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63755"
Task = "The system must be configured to prevent anonymous users from having the same rights as the Everyone group."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "EveryoneIncludesAnonymous" `
| Select-Object -ExpandProperty "EveryoneIncludesAnonymous"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63759"
Task = "Anonymous access to Named Pipes and Shares must be restricted."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" `
-Name "RestrictNullSessAccess" `
| Select-Object -ExpandProperty "RestrictNullSessAccess"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63765"
Task = "NTLM must be prevented from falling back to a Null session."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" `
-Name "allownullsessionfallback" `
| Select-Object -ExpandProperty "allownullsessionfallback"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63767"
Task = "PKU2U authentication using online identities must be prevented."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" `
-Name "AllowOnlineID" `
| Select-Object -ExpandProperty "AllowOnlineID"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63795"
Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" `
-Name "SupportedEncryptionTypes" `
| Select-Object -ExpandProperty "SupportedEncryptionTypes"
if ($regValue -ne 2147483640) {
return @{
Message = "Registry value is '$regValue'. Expected: 2147483640"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63797"
Task = "The system must be configured to prevent the storage of the LAN Manager hash of passwords."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "NoLMHash" `
| Select-Object -ExpandProperty "NoLMHash"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63801"
Task = "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "LmCompatibilityLevel" `
| Select-Object -ExpandProperty "LmCompatibilityLevel"
if ($regValue -ne 5) {
return @{
Message = "Registry value is '$regValue'. Expected: 5"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63803"
Task = "The system must be configured to the required LDAP client signing level."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" `
-Name "LDAPClientIntegrity" `
| Select-Object -ExpandProperty "LDAPClientIntegrity"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63805"
Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based clients."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name "NTLMMinClientSec" `
| Select-Object -ExpandProperty "NTLMMinClientSec"
if ($regValue -ne 537395200) {
return @{
Message = "Registry value is '$regValue'. Expected: 537395200"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63807"
Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based servers."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name "NTLMMinServerSec" `
| Select-Object -ExpandProperty "NTLMMinServerSec"
if ($regValue -ne 537395200) {
return @{
Message = "Registry value is '$regValue'. Expected: 537395200"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63811"
Task = "The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63815"
Task = "The default permissions of global system objects must be increased."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" `
-Name "ProtectionMode" `
| Select-Object -ExpandProperty "ProtectionMode"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63817"
Task = "User Account Control approval mode for the built-in Administrator must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "FilterAdministratorToken" `
| Select-Object -ExpandProperty "FilterAdministratorToken"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63821"
Task = "User Account Control must automatically deny elevation requests for standard users."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "ConsentPromptBehaviorUser" `
| Select-Object -ExpandProperty "ConsentPromptBehaviorUser"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63825"
Task = "User Account Control must be configured to detect application installations and prompt for elevation."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableInstallerDetection" `
| Select-Object -ExpandProperty "EnableInstallerDetection"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63827"
Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableSecureUIAPaths" `
| Select-Object -ExpandProperty "EnableSecureUIAPaths"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63829"
Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableLUA" `
| Select-Object -ExpandProperty "EnableLUA"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63831"
Task = "User Account Control must virtualize file and registry write failures to per-user locations."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableVirtualization" `
| Select-Object -ExpandProperty "EnableVirtualization"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63839"
Task = "Toast notifications to the lock screen must be turned off."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" `
-Name "NoToastApplicationNotificationOnLockScreen" `
| Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63841"
Task = "Zone information must be preserved when saving attachments."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" `
-Name "SaveZoneInformation" `
| Select-Object -ExpandProperty "SaveZoneInformation"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-68817"
Task = "Command line data must be included in process creation events."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
-Name "ProcessCreationIncludeCmdLine_Enabled" `
| Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-68819"
Task = "PowerShell script block logging must be enabled on Windows 10."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name "EnableScriptBlockLogging" `
| Select-Object -ExpandProperty "EnableScriptBlockLogging"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-68849"
Task = "Structured Exception Handling Overwrite Protection (SEHOP) must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" `
-Name "DisableExceptionChainValidation" `
| Select-Object -ExpandProperty "DisableExceptionChainValidation"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-71763"
Task = "WDigest Authentication must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" `
-Name "UseLogonCredential" `
| Select-Object -ExpandProperty "UseLogonCredential"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-71765"
Task = "Internet connection sharing must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" `
-Name "NC_ShowSharedAccessUI" `
| Select-Object -ExpandProperty "NC_ShowSharedAccessUI"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-71769"
Task = "Remote calls to the Security Account Manager (SAM) must be restricted to Administrators."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "RestrictRemoteSAM" `
| Select-Object -ExpandProperty "RestrictRemoteSAM"
if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") {
return @{
Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-71771"
Task = "Microsoft consumer experiences must be turned off."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" `
-Name "DisableWindowsConsumerFeatures" `
| Select-Object -ExpandProperty "DisableWindowsConsumerFeatures"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-74417"
Task = "Windows 10 must be configured to disable Windows Game Recording and Broadcasting."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" `
-Name "AllowGameDVR" `
| Select-Object -ExpandProperty "AllowGameDVR"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-74699"
Task = "Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" `
-Name "AllowProtectedCreds" `
| Select-Object -ExpandProperty "AllowProtectedCreds"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-74723"
Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
-Name "SMB1" `
| Select-Object -ExpandProperty "SMB1"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-74725"
Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-82137"
Task = "The use of personal accounts for OneDrive synchronization must be disabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive" `
-Name "DisablePersonalSync" `
| Select-Object -ExpandProperty "DisablePersonalSync"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-82139"
Task = "Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings" `
-Name "PreventCertErrorOverrides" `
| Select-Object -ExpandProperty "PreventCertErrorOverrides"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-82145"
Task = "If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" `
-Name "LimitEnhancedDiagnosticDataWindowsAnalytics" `
| Select-Object -ExpandProperty "LimitEnhancedDiagnosticDataWindowsAnalytics"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-94719"
Task = "Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" `
-Name "LetAppsActivateWithVoiceAboveLock" `
| Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-94859"
Task = "Windows 10 systems must use a BitLocker PIN for pre-boot authentication."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" `
-Name "UseAdvancedStartup" `
| Select-Object -ExpandProperty "UseAdvancedStartup"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-94861"
Task = "Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" `
-Name "MinimumPIN" `
| Select-Object -ExpandProperty "MinimumPIN"
if (($regValue -lt 6)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 6"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-99557"
Task = "Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" `
-Name "DeviceEnumerationPolicy" `
| Select-Object -ExpandProperty "DeviceEnumerationPolicy"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-99563"
Task = "Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications. "
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" `
-Name "DisableThirdPartySuggestions" `
| Select-Object -ExpandProperty "DisableThirdPartySuggestions"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}