CIS Checklist for Windows 10 - Best Practices

We have had the BFC server installed and collecting data for a few Checklists, CIS Checklist for Windows 10, being one of them.

We currently have none of the 313 analyses enabled for this checklist.

I wanted to ask the community how they are using this.

My thought is that we go over the 313 controls and determine which are important for our organization to monitor. We would then create a template with just those controls and activate just those analyses.

Alternatively, should it be assumed that when you enable a Checklist (within the license) that you should, by best practices, activate all analysis that are included with that Checklist, regardless of which controls you wish to report on.

I don’t believe the checklists are used in scoring your system, I think that is done from the count of relevant fixlets. I don’t activate any of the analyses unless I am trying to troubleshoot why a client is relevant to one of the checklist items.

Best practice is probably to use the “Create Custom Checklist” wizard to copy the checklist site into a custom site, where you can make changes to the scoring values to fit your specific requirements, such as group names.