BigFix Compliance: Updated CIS Checklist for Windows 11 with bug fixes, published 2025-02-11

anjumyaseen · February 12, 2025, 1:06pm

Product:
BigFix Compliance

Title:
Updated CIS Checklist for Windows 11 with bug fixes

Security Benchmark:

CIS Microsoft Windows 11 Enterprise Benchmark, V3.0.0

Published Sites:
CIS Checklist for Windows 11, site version 10
(The site version is provided for air-gap customers.)

Details:

Fixed and Improved implementation for the following check:

Ensure ‘Allow auditing events in Microsoft Defender Application Guard’ is set to ‘Enabled’
Ensure ‘Allow camera and microphone access in Microsoft Defender Application Guard’ is set to ‘Disabled’
Ensure ‘Allow data persistence for Microsoft Defender Application Guard’ is set to ‘Disabled’
Ensure ‘Allow files to download and save to the host operating system from Microsoft Defender Application Guard’ is set to ‘Disabled’
Ensure ‘Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting’ is set to ‘Enabled: Enable clipboard operation from an isolated session to the host’
Ensure ‘Turn on Microsoft Defender Application Guard in Managed Mode’ is set to ‘Enabled: 1’
Ensure ‘Turn On Virtualization Based Security’ is set to ‘Enabled’
Ensure ‘Turn On Virtualization Based Security: Credential Guard Configuration’ is set to ‘Enabled with UEFI lock’
Ensure ‘Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection’ is set to ‘Enabled: Enabled in enforcement mode’
Ensure ‘Turn On Virtualization Based Security: Require UEFI Memory Attributes Table’ is set to ‘True (checked)’
Ensure ‘Turn On Virtualization Based Security: Secure Launch Configuration’ is set to ‘Enabled’
Ensure ‘Turn On Virtualization Based Security: Select Platform Security Level’ is set to ‘Secure Boot’ or higher
Ensure ‘Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity’ is set to ‘Enabled with UEFI lock’

Actions to take:

To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 9.5 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html

More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:

BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists

We hope you find this latest release of SCM content useful and effective. Thank you!

– The BigFix Compliance team