Product:
BigFix Compliance
Title:
Updated CIS Checklist for Windows 11 to support a more recent version of the benchmark.
Security Benchmark:
CIS Microsoft Windows 11 Enterprise Benchmark, V4.0.0
Published Sites:
CIS Checklist for Windows 11, site version 11
(The site version is provided for air-gap customers.)
Details:
● Total New Fixlets: 93
● Total Updated Fixlets:7
● Total Deleted Fixlets: 9
● Total Fixlets in Site: 568
● ADDED
o (L2) Ensure ‘WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)’ is set to ‘Disabled’
o (L1) Ensure ‘Turn on Basic feed authentication over HTTP’ is set to ‘Disabled’
o (L1) Ensure ‘Network security: LDAP client encryption requirements’ is set to ‘Negotiate sealing’ or higher
o (L1) Ensure ‘Configure multicast DNS (mDNS) protocol’ is set to ‘Disabled’
o (L2) Ensure ‘Turn off default IPv6 DNS Servers’ is set to ‘Enabled’
o (L1) Ensure ‘Audit client does not support encryption’ is set to ‘Enabled’
o (L1) Ensure ‘Audit client does not support signing’ is set to ‘Enabled’
o (L1) Ensure ‘Audit insecure guest logon’ is set to ‘Enabled’
o (L1) Ensure ‘Enable authentication rate limiter’ is set to ‘Enabled’
o (L1) Ensure ‘Enable remote mailslots’ is set to ‘Disabled’
o (L1) Ensure ‘Mandate the minimum version of SMB’ is set to ‘Enabled: 3.1.1’
o (L1) Ensure ‘Set authentication rate limiter delay (milliseconds)’ is set to ‘Enabled: 2000’ or more
o (L1) Ensure ‘Audit insecure guest logon’ is set to ‘Enabled’
o (L1) Ensure ‘Audit server does not support encryption’ is set to ‘Enabled’
o (L1) Ensure ‘Audit server does not support signing’ is set to ‘Enabled’
o (L1) Ensure ‘Enable remote mailslots’ is set to ‘Disabled’
o (L1) Ensure ‘Mandate the minimum version of SMB’ is set to ‘Enabled: 3.1.1’
o (L2) Ensure ‘Configure Windows protected print’ is set to ‘Enabled’
o (L1) Ensure ‘Configure the behavior of the sudo command’ is set to ‘Enabled: Disabled’
o (L1) Ensure ‘Block NetBIOS-based discovery for domain controller location’ is set to ‘Enabled’
o (L1) Ensure ‘Configure SAM change password RPC methods policy’ is set to 'Enabled: Block all change password RPC methods’23728
o (L2) Ensure ‘Turn off API Sampling’ is set to ‘Enabled’
o (L2) Ensure ‘Turn off Application Footprint’ is set to ‘Enabled’
o (L2) Ensure ‘Turn off Install Tracing’ is set to ‘Enabled’
o (L1) Ensure ‘Not allow per-user unsigned packages to install by default (requires explicitly allow per install)’ is set to ‘Enabled’
o (L1) Ensure ‘Enable App Installer Local Archive Malware Scan Override’ is set to ‘Disabled’
o (L1) Ensure ‘Enable App Installer Microsoft Store Source Certificate Validation Bypass’ is set to ‘Disabled’
o (L2) Ensure ‘Enable Windows Package Manager command line interfaces’ is set to ‘Disabled’
o (L1) Ensure ‘Do not apply the Mark of the Web tag to files copied from insecure sources’ is set to ‘Disabled’
o (L1) Ensure ‘Control whether exclusions are visible to local users’ is set to 'Enabled’23754
o (L1) Ensure ‘Enable EDR in block mode’ is set to ‘Enabled’
o (L2) Ensure ‘Convert warn verdict to block’ is set to ‘Enabled’
o (L1) Ensure ‘Configure real-time protection and Security Intelligence Updates during OOBE’ is set to ‘Enabled’
o (L2) Ensure ‘Configure Brute-Force Protection aggressiveness’ is set to ‘Enabled: Medium’ or higher
o (L1) Ensure ‘Configure Remote Encryption Protection Mode’ is set to ‘Enabled: Audit’ or higher
o (L2) Ensure ‘Configure how aggressively Remote Encryption Protection blocks threats’ is set to ‘Enabled: Medium’ or higher
o (L1) Ensure ‘Scan excluded files and directories during quick scans’ is set to ‘Enabled: 1’
o (L1) Ensure ‘Trigger a quick scan after X days without any scans’ is set to ‘Enabled: 7’
o (L2) Ensure ‘Restrict clipboard transfer from server to client’ is set to ‘Enabled: Disable clipboard transfers from server to client’
o (L1) Ensure ‘Turn off Windows Copilot’ is set to ‘Enabled’
o (L2) Ensure ‘GameInput Service (GameInputSvc)’ is set to ‘Disabled’
o (L1) Ensure ‘Require Encryption’ is set to ‘Enabled’
o (L2) Ensure ‘Allow mapping folders into Windows Sandbox’ is set to ‘Disabled’
o (BL) Ensure ‘Allow access to BitLocker-protected fixed data drives from earlier versions of Windows’ is set to ‘Disabled’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent’ is set to ‘Enabled: False’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Recovery Key’ is set to ‘Enabled: Allow 256-bit recovery key’ or higher
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent’ is set to ‘Enabled: True’
o (BL) Ensure ‘Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup’ is set to ‘IEEE 1394 device setup classes’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives’ is set to ‘Enabled: False’
o (BL) Ensure ‘Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives’ is set to ‘Enabled: True’
o (BL) Ensure ‘Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization’ is set to ‘Enabled: False’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered’ is set to ‘Enabled’
o (BL) Ensure ‘Allow enhanced PINs for startup’ is set to ‘Enabled’
o (BL) Ensure ‘Configure use of hardware-based encryption for removable data drives’ is set to ‘Disabled’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Recovery Password’ is set to ‘Enabled: Allow 48-digit recovery password’ or higher
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Recovery Password’ is set to ‘Enabled: Require 48-digit recovery password’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives’ is set to ‘Enabled: True’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent’ is set to ‘Enabled: True’
o (BL) Ensure ‘Require additional authentication at startup’ is set to ‘Enabled’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Recovery Key’ is set to ‘Enabled: Do not allow 256-bit recovery key’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives’ is set to ‘Enabled: True’
o (BL) Ensure ‘Enumeration policy for external devices incompatible with Kernel DMA Protection’ is set to ‘Enabled: Block All’
o (BL) Ensure ‘Allow access to BitLocker-protected removable data drives from earlier versions of Windows’ is set to ‘Disabled’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Recovery Key’ is set to ‘Enabled: Do not allow 256-bit recovery key’
o (BL) Ensure ‘Require additional authentication at startup: Allow BitLocker without a compatible TPM’ is set to ‘Enabled: False’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Recovery Password’ is set to ‘Enabled: Do not allow 48-digit recovery password’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives’ is set to ‘Enabled: False’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS’ is set to ‘Enabled: Backup recovery passwords and key packages’
o (BL) Ensure ‘Configure use of smart cards on removable data drives’ is set to ‘Enabled’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:’ is set to ‘Enabled: Store recovery passwords and key packages’
o (BL) Ensure ‘Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives’ is set to ‘Enabled: True’
o (BL) Ensure ‘Allow standby states (S1-S3) when sleeping (on battery)’ is set to ‘Disabled’
o (BL) Ensure ‘Allow standby states (S1-S3) when sleeping (plugged in)’ is set to ‘Disabled’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:’ is set to ‘Enabled: Backup recovery passwords and key packages’
o (BL) Ensure ‘Allow Secure Boot for integrity validation’ is set to ‘Enabled’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives’ is set to ‘Enabled: False’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered’ is set to ‘Enabled’
o (BL) Ensure ‘Prevent installation of devices using drivers that match these device setup classes’ is set to ‘Enabled’
o (BL) Ensure ‘Configure use of passwords for fixed data drives’ is set to ‘Disabled’
o (BL) Ensure ‘Configure use of hardware-based encryption for fixed data drives’ is set to ‘Disabled’
o (BL) Ensure ‘Interactive logon: Machine account lockout threshold’ is set to ‘10 or fewer invalid logon attempts, but not 0’
o (BL) Ensure ‘Configure use of passwords for removable data drives’ is set to ‘Disabled’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives’ is set to ‘Enabled: False’
o (BL) Ensure ‘Configure use of passwords for operating system drives’ is set to ‘Disabled’
o (BL) Ensure ‘Configure use of smart cards on fixed data drives’ is set to ‘Enabled’
o (BL) Ensure ‘Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard’ is set to ‘Enabled: True’
o (BL) Ensure ‘Configure use of hardware-based encryption for operating system drives’ is set to ‘Disabled’
o (BL) Ensure ‘Disable new DMA devices when this computer is locked’ is set to ‘Enabled’
o (BL) Ensure ‘Deny write access to removable drives not protected by BitLocker’ is set to ‘Enabled’
o (BL) Ensure ‘Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard’ is set to ‘Enabled: True’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard’ is set to ‘Enabled: True’
o (BL) Ensure ‘Choose how BitLocker-protected fixed drives can be recovered’ is set to ‘Enabled’
o (BL) Ensure ‘Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.’ is set to ‘True’ (checked)
● UPDATED
o (L1) Ensure ‘Enable Certificate Padding’ is set to ‘Enabled’
o (L2) Ensure ‘Enable App Installer’ is set to ‘Disabled’
o (L1) Ensure ‘Configures LSASS to run as a protected process’ is set to ‘Enabled: Enabled with UEFI Lock’
o (L1) Ensure ‘Enable optional updates’ is set to ‘Disabled’
o (L1) Ensure ‘Configure the transmission of the user’s password in the content of MPR notifications sent by winlogon.’ is set to ‘Disabled’
o (L1) Ensure ‘Create symbolic links’ is set to ‘Administrators’
o (L2) Ensure ‘Log on as a service’ is configured
● DELETED
o (L1) Ensure ‘Turn off Microsoft Defender AntiVirus’ is set to ‘Disabled’
o (L1) Ensure ‘Toggle user control over Insider builds’ is set to ‘Disabled’
o (L1) Ensure ‘Only display the private store within the Microsoft Store’ is set to ‘Enabled’
o (L1) Ensure ‘Accounts: Block Microsoft accounts’ is set to ‘Users can’t add or log on with Microsoft accounts’
o (L2) Ensure ‘Peer Name Resolution Protocol (PNRPsvc)’ is set to ‘Disabled’
o (L2) Ensure ‘Peer Networking Grouping (p2psvc)’ is set to ‘Disabled’
o (L2) Ensure ‘Peer Networking Identity Manager (p2pimsvc)’ is set to ‘Disabled’
o (L2) Ensure ‘PNRP Machine Name Publication Service (PNRPAutoReg)’ is set to ‘Disabled’
o (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution’ is set to ‘Enabled: Allow DoH’ or higher
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team