This report was generated on 07/20/2022 16:59:29 on Hostname1DomainName with TAPHtmlReport version 1.8.

Hostname	Hostname1DomainName
Build Number	22000
Free physical memory (GB)	5,216
Operating System	Microsoft Windows 11 Pro
Domain role	Member Workstation
Free disk space (GB)	885,6
Installation Language	English (United States)

Summary

A total of 892 tests have been executed.

1. True 672 test(s) ≙ 75.34%
2. False 217 test(s) ≙ 24.33%
3. Warning 2 test(s) ≙ 0.22%
4. None 0 test(s) ≙ 0.00%
5. Error 1 test(s) ≙ 0.11%

General Benchmarks

A total of 22 tests have been executed in section General Benchmarks.

1. True 14 test(s) ≙ 63.64%
2. False 5 test(s) ≙ 22.73%
3. Warning 2 test(s) ≙ 9.09%
4. None 0 test(s) ≙ 0.00%
5. Error 1 test(s) ≙ 4.55%

Microsoft Benchmarks

A total of 347 tests have been executed in section Microsoft Benchmarks.

1. True 187 test(s) ≙ 53.89%
2. False 160 test(s) ≙ 46.11%
3. Warning 0 test(s) ≙ 0.00%
4. None 0 test(s) ≙ 0.00%
5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 523 tests have been executed in section CIS Benchmarks.

1. True 471 test(s) ≙ 90.06%
2. False 52 test(s) ≙ 9.94%
3. Warning 0 test(s) ≙ 0.00%
4. None 0 test(s) ≙ 0.00%
5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

• General Benchmarks
  • Security Base Data
• Microsoft Benchmarks
  • Registry Settings/Group Policies
  • User Rights Assignment
  • Account Policies
  • Advanced Audit Policy Configuration
• CIS Benchmarks
  • Registry Settings/Group Policies
  • User Rights Assignment
  • Account Policies
  • Advanced Audit Policy Configuration

General Benchmarks–↑

This section contains general benchmarks

Security Base Data–↑

This section contains basic recommendations for a secure Microsoft Windows configuration.

Id	Task	Message	Status
SBD-001	Ensure the system is booting in ‚UEFI‘ mode.	Compliant	True
SBD-002	Ensure the system is using SecureBoot.	SecureBoot is supported but disabled.	False
SBD-003	Ensure the TPM Chip is ‚present‘.	Compliant	True
SBD-004	Ensure the TPM Chip is ‚ready‘.	Compliant	True
SBD-005	Ensure the TPM Chip is ‚enabled‘.	Compliant	True
SBD-006	Ensure the TPM Chip is ‚activated‘.	Compliant	True
SBD-007	Ensure the TPM Chip is ‚owned‘.	Compliant	True
SBD-008	Ensure the TPM Chip is implementing specification version 2.0 or higher.	Compliant	True
SBD-009	Get the count of local users on the system.	System has 3-5 local users.	Warning
SBD-010	Get the count of admin users on the system.	System has 3-5 admin users.	Warning
SBD-011	Ensure the status of the Bitlocker service is ‚Running‘.	Compliant	True
SBD-012	Ensure that Bitlocker is activated on all volumes.	Bitlocker status is unknown.	Error
SBD-013	Ensure the status of the Windows Defender service is ‚Running‘.	Compliant	True
SBD-014	Ensure the status of the Microsoft Defender for Endpoint service is ‚Running‘.	Service is not ‚Running‘ (More info).	False
SBD-015	Ensure the Windows Firewall is enabled on all profiles.	Compliant	True
SBD-016	Check if the last successful search for updates was in the past 24 hours.	Compliant	True
SBD-017	Check if the last successful installation of updates was in the past 5 days.	Compliant	True
SBD-018	Ensure Virtualization Based Security is enabled and running.	VBS is activated but not running.	False
SBD-019	Ensure Hypervisor-protected Code Integrity (HVCI) is running.	HVCI is not running.	False
SBD-020	Ensure Credential Guard is running.	Credential Guard is not running.	False
SBD-021	Ensure the Attack Surface Reduction (ASR) rules are enabled.	Compliant (12+ rules enabled)	True
SBD-022	Ensure Windows Defender Application Guard is enabled.	Compliant	True

Microsoft Benchmarks–↑

This section contains all benchmarks from Microsoft

Registry Settings/Group Policies–↑

Id	Task	Message	Status
Registry-009	Set registry value ‚UseEnhancedPin‘ to 1.	Compliant	True
Registry-010	Set registry value ‚RDVDenyCrossOrg‘ to 0.	Compliant	True
Registry-011	Set registry value ‚DisableExternalDMAUnderLock‘ to 1.	Compliant	True
Registry-012	Set registry value ‚DCSettingIndex‘ to 0.	Compliant	True
Registry-013	Set registry value ‚ACSettingIndex‘ to 0.	Compliant	True
Registry-014	Set registry value ‚DenyDeviceClasses‘ to 1.	Compliant	True
Registry-015	Set registry value ‚DenyDeviceClassesRetroactive‘ to 1.	Compliant	True
Registry-016	Set registry value ‚1‘ to ‚Prevent installation of drivers matching these device setup classes‘.	Compliant	True
Registry-017	Ensure ‚Deny write access to removable drives not protected by BitLocker‘ is set to ‚Enabled‘.	Compliant	True
Registry-018	Set registry value ‚PUAProtection‘ to 1.	Compliant	True
Registry-019	Set registry value ‚MpCloudBlockLevel‘ to 2.	Registry value not found.	False
Registry-020	Ensure ‚Scan all downloaded files and attachments‘ is set to ‚Enabled‘.	Compliant	True
Registry-021	Ensure ‚Turn off real-time protection‘ is set to ‚Disabled‘.	Compliant	True
Registry-022	Set registry value ‚DisableScriptScanning‘ to 0.	Compliant	True
Registry-023	Ensure ‚Scan removable drives‘ is set to ‚Enabled‘.	Compliant	True
Registry-024	Ensure ‚Send file samples when further analysis is required‘ is set to ‚Send safe samples‘.	Registry value is ‚2‘. Expected: 1	False
Registry-025	Ensure ‚Join Microsoft MAPS‘ is set to ‚Advanced MAPS‘.	Registry value is ‚0‘. Expected: 2	False
Registry-026	Ensure ‚Configure the ‚Block at First Sight‘ feature‘ is set to ‚Enabled‘.	Registry value not found.	False
Registry-027	Set registry value ‚ExploitGuard_ASR_Rules‘ to 1.	Compliant	True
Registry-028	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-029	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-030	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-031	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-032	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-033	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-034	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-035	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-036	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-037	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-038	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-039	Use advanced protection against ransomware	Registry value not found.	False
Registry-040	(L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured	Compliant	True
Registry-041	Set registry value ‚EnableNetworkProtection‘ to 1.	Compliant	True
Registry-042	Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled‘.	Compliant	True
Registry-043	Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Secure Boot‘.	Registry value is ‚3‘. Expected: 1	False
Registry-044	Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled with UEFI lock‘.	Compliant	True
Registry-045	Set registry value ‚HVCIMATRequired‘ to 1.	Compliant	True
Registry-046	Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled with UEFI lock‘.	Compliant	True
Registry-047	Set registry value ‚ConfigureSystemGuardLaunch‘ to 1.	Compliant	True
Registry-048	Ensure ‚Do not suggest third-party content in Windows spotlight‘ is set to ‚Enabled‘.	Registry key not found.	False
Registry-049	Set registry value ‚NoToastApplicationNotificationOnLockScreen‘ to 1.	Registry key not found.	False
Registry-050	Set registry value ‚AutoConnectAllowedOEM‘ to 0.	Compliant	True
Registry-051	Ensure ‚Enumerate administrator accounts on elevation‘ is set to ‚Disabled‘.	Compliant	True
Registry-052	Ensure ‚Turn off Autoplay‘ is set to ‚All drives‘.	Compliant	True
Registry-053	Set registry value ‚NoWebServices‘ to 1.	Compliant	True
Registry-054	Ensure ‚Set the default behavior for AutoRun‘ is set to ‚Do not execute any autorun commands‘.	Compliant	True
Registry-055	Ensure ‚Allow Microsoft accounts to be optional‘ is set to ‚Enabled‘.	Compliant	True
Registry-056	Ensure ‚Sign-in last interactive user automatically after a system-initiated restart‘ is set to ‚Disabled‘.	Compliant	True
Registry-057	Set registry value ‚LocalAccountTokenFilterPolicy‘ to 0.	Compliant	True
Registry-058	Set registry value ‚AllowEncryptionOracle‘ to 0.	Compliant	True
Registry-059	Set registry value ‚EnhancedAntiSpoofing‘ to 1.	Compliant	True
Registry-060	Ensure ‚Prevent downloading of enclosures‘ is set to ‚Enabled‘.	Registry key not found.	False
Registry-061	Ensure ‚Require a password when a computer wakes (on battery)‘ is set to ‚Enabled‘.	Compliant	True
Registry-062	Ensure ‚Require a password when a computer wakes (plugged in)‘ is set to ‚Enabled‘.	Compliant	True
Registry-063	Set registry value ‚LetAppsActivateWithVoiceAboveLock‘ to 2.	Compliant	True
Registry-064	Ensure ‚Turn off Microsoft consumer experiences‘ is set to ‚Enabled‘.	Compliant	True
Registry-065	Set registry value ‚AllowProtectedCreds‘ to 1.	Compliant	True
Registry-066	Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚32768‘.	Compliant	True
Registry-067	Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚196608‘.	Compliant	True
Registry-068	Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚32768‘.	Compliant	True
Registry-069	Ensure ‚Disallow Autoplay for non-volume devices‘ is set to ‚Enabled‘.	Compliant	True
Registry-070	Set registry value ‚AllowGameDVR‘ to 0.	Compliant	True
Registry-071	Ensure ‚Configure registry policy processing‘ is set to ‚0‘.	Compliant	True
Registry-072	Ensure ‚Configure registry policy processing‘ is set to ‚0‘.	Compliant	True
Registry-073	Set registry value ‚AlwaysInstallElevated‘ to 0.	Compliant	True
Registry-074	Ensure ‚Allow user control over installs‘ is set to ‚Disabled‘.	Compliant	True
Registry-075	Set registry value ‚DeviceEnumerationPolicy‘ to 0.	Compliant	True
Registry-076	Ensure ‚Enable insecure guest logons‘ is set to ‚Disabled‘.	Compliant	True
Registry-077	Ensure ‚Prohibit use of Internet Connection Sharing on your DNS domain network‘ is set to ‚Enabled‘.	Compliant	True
Registry-078	Set registry value ‚\\*\SYSVOL‘ to RequireMutualAuthentication=1,RequireIntegrity=1.	Registry value is “. Expected: RequireMutualAuthentication=1,RequireIntegrity=1	False
Registry-079	Set registry value ‚\\*\NETLOGON‘ to RequireMutualAuthentication=1,RequireIntegrity=1.	Registry value is ‚RequireMutualAuthentication=1, RequireIntegrity=1‘. Expected: RequireMutualAuthentication=1,RequireIntegrity=1	False
Registry-080	Set registry value ‚NoLockScreenCamera‘ to 1.	Compliant	True
Registry-081	Set registry value ‚NoLockScreenSlideshow‘ to 1.	Compliant	True
Registry-082	Ensure ‚Turn on PowerShell Script Block Logging‘ is set to ‚Enabled‘.	Registry value is ‚0‘. Expected: 1	False
Registry-083	Ensure ‚Turn on PowerShell Script Block Logging‘ is not set.	Compliant. Registry value not found.	True
Registry-084	Ensure ‚Turn on convenience PIN sign-in‘ is set to ‚Disabled‘.	Compliant	True
Registry-085	Ensure ‚Enumerate local users on domain-joined computers‘ is set to ‚Disabled‘.	Compliant	True
Registry-086	Ensure ‚Configure Windows SmartScreen‘ is set to ‚Enabled‘.	Compliant	True
Registry-087	Set registry value ‚ShellSmartScreenLevel‘ to Block.	Registry value not found.	False
Registry-088	Ensure ‚Prohibit connection to non-domain networks when connected to domain authenticated network‘ is set to ‚Enabled‘.	Compliant	True
Registry-089	Set registry value ‚AllowIndexingEncryptedStoresOrItems‘ to 0.	Compliant	True
Registry-090	Ensure ‚Disallow Digest authentication‘ is set to ‚Enabled‘.	Compliant	True
Registry-091	Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘.	Compliant	True
Registry-092	Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘.	Compliant	True
Registry-093	Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘.	Compliant	True
Registry-094	Ensure ‚Disallow WinRM from storing RunAs credentials‘ is set to ‚Enabled‘.	Compliant	True
Registry-095	Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘.	Compliant	True
Registry-096	Ensure ‚Turn off multicast name resolution‘ is set to ‚Enabled‘.	Compliant	True
Registry-097	Set registry value ‚DisableWebPnPDownload‘ to 1.	Compliant	True
Registry-098	Set registry value ‚RestrictDriverInstallationToAdministrators‘ to 1.	Compliant	True
Registry-099	Ensure ‚Restrict Unauthenticated RPC clients‘ is set to ‚Authenticated‘.	Compliant	True
Registry-100	Set registry value ‚fUseMailto‘ to .	Compliant. Registry value not found.	True
Registry-101	Set registry value ‚fAllowToGetHelp‘ to 0.	Compliant	True
Registry-102	Set registry value ‚fAllowFullControl‘ to .	Compliant. Registry value not found.	True
Registry-103	Set registry value ‚MaxTicketExpiry‘ to .	Compliant. Registry value not found.	True
Registry-104	Set registry value ‚MaxTicketExpiryUnits‘ to .	Compliant. Registry value not found.	True
Registry-105	Set registry value ‚MinEncryptionLevel‘ to 3.	Compliant	True
Registry-106	Set registry value ‚fPromptForPassword‘ to 1.	Compliant	True
Registry-107	Set registry value ‚fDisableCdm‘ to 1.	Compliant	True
Registry-108	Set registry value ‚DisablePasswordSaving‘ to 1.	Compliant	True
Registry-109	Set registry value ‚fEncryptRPCTraffic‘ to 1.	Compliant	True
Registry-110	Set registry value ‚PolicyVersion‘ to 538.	Registry value not found.	False
Registry-111	Set registry value ‚DefaultOutboundAction‘ to 0.	Compliant	True
Registry-112	Set registry value ‚DisableNotifications‘ to 1.	Compliant	True
Registry-113	Set registry value ‚EnableFirewall‘ to 1.	Compliant	True
Registry-114	Set registry value ‚DefaultInboundAction‘ to 1.	Compliant	True
Registry-115	Set registry value ‚LogDroppedPackets‘ to 1.	Compliant	True
Registry-116	Set registry value ‚LogFileSize‘ to 16384.	Compliant	True
Registry-117	Set registry value ‚LogSuccessfulConnections‘ to 1.	Compliant	True
Registry-118	Set registry value ‚EnableFirewall‘ to 1.	Compliant	True
Registry-119	Set registry value ‚DisableNotifications‘ to 1.	Compliant	True
Registry-120	Set registry value ‚DefaultInboundAction‘ to 1.	Compliant	True
Registry-121	Set registry value ‚DefaultOutboundAction‘ to 0.	Compliant	True
Registry-122	Set registry value ‚LogSuccessfulConnections‘ to 1.	Compliant	True
Registry-123	Set registry value ‚LogDroppedPackets‘ to 1.	Compliant	True
Registry-124	Set registry value ‚LogFileSize‘ to 16384.	Compliant	True
Registry-125	Set registry value ‚DefaultOutboundAction‘ to 0.	Compliant	True
Registry-126	Set registry value ‚EnableFirewall‘ to 1.	Compliant	True
Registry-127	Set registry value ‚DisableNotifications‘ to 1.	Compliant	True
Registry-128	Set registry value ‚AllowLocalIPsecPolicyMerge‘ to 0.	Compliant	True
Registry-129	Set registry value ‚AllowLocalPolicyMerge‘ to 0.	Compliant	True
Registry-130	Set registry value ‚DefaultInboundAction‘ to 1.	Compliant	True
Registry-131	Set registry value ‚LogFileSize‘ to 16384.	Compliant	True
Registry-132	Set registry value ‚LogDroppedPackets‘ to 1.	Compliant	True
Registry-133	Set registry value ‚LogSuccessfulConnections‘ to 1.	Compliant	True
Registry-134	Ensure ‚Allow Windows Ink Workspace‘ is set to ‚On, but disallow access above lock‘.	Registry value is ‚0‘. Expected: 1	False
Registry-135	Set registry value ‚AdmPwdEnabled‘ to 1.	Registry key not found.	False
Registry-136	Ensure ‚WDigest Authentication (disabling may require KB2871997)‘ is set to ‚Disabled‘.	Compliant	True
Registry-137	Ensure ‚Enable Structured Exception Handling Overwrite Protection (SEHOP)‘ is set to ‚Enabled‘.	Compliant	True
Registry-138	Set registry value ‚DriverLoadPolicy‘ to 3.	Compliant	True
Registry-139	Ensure ‚Configure SMB v1 server‘ is set to ‚Disabled‘.	Compliant	True
Registry-140	Ensure ‚Configure SMB v1 client driver‘ is set to ‚Disable driver (recommended)‘.	Compliant	True
Registry-141	Set registry value ‚NoNameReleaseOnDemand‘ to 1.	Compliant	True
Registry-142	Set registry value ‚NodeType‘ to 2.	Compliant	True
Registry-143	Set registry value ‚EnableICMPRedirect‘ to 0.	Compliant	True
Registry-144	Set registry value ‚DisableIPSourceRouting‘ to 2.	Compliant	True
Registry-145	Set registry value ‚DisableIPSourceRouting‘ to 2.	Compliant	True
Registry-146	Set registry value ‚ScRemoveOption‘ to 1.	Compliant	True
Registry-147	Set registry value ‚InactivityTimeoutSecs‘ to 900.	Compliant	True
Registry-148	Set registry value ‚NoLMHash‘ to 1.	Compliant	True
Registry-149	Set registry value ‚EnablePlainTextPassword‘ to 0.	Compliant	True
Registry-150	Set registry value ‚LimitBlankPasswordUse‘ to 1.	Compliant	True
Registry-151	Set registry value ‚RestrictAnonymousSAM‘ to 1.	Compliant	True
Registry-152	Set registry value ‚RestrictAnonymous‘ to 1.	Compliant	True
Registry-153	Set registry value ‚RestrictNullSessAccess‘ to 1.	Compliant	True
Registry-154	Set registry value ‚SCENoApplyLegacyAuditPolicy‘ to 1.	Compliant	True
Registry-155	Set registry value ‚NTLMMinClientSec‘ to 537395200.	Compliant	True
Registry-156	Set registry value ‚LmCompatibilityLevel‘ to 5.	Compliant	True
Registry-157	Set registry value ‚allownullsessionfallback‘ to 0.	Compliant	True
Registry-158	Set registry value ‚NTLMMinServerSec‘ to 537395200.	Compliant	True
Registry-159	Set registry value ‚requirestrongkey‘ to 1.	Compliant	True
Registry-160	Set registry value ‚RequireSecuritySignature‘ to 1.	Registry value is ‚0‘. Expected: 1	False
Registry-161	Set registry value ’sealsecurechannel‘ to 1.	Compliant	True
Registry-162	Set registry value ‚requiresignorseal‘ to 1.	Compliant	True
Registry-163	Set registry value ’signsecurechannel‘ to 1.	Compliant	True
Registry-164	Set registry value ‚requiresecuritysignature‘ to 1.	Registry value is ‚0‘. Expected: 1	False
Registry-165	Set registry value ‚ProtectionMode‘ to 1.	Compliant	True
Registry-166	Set registry value ‚ConsentPromptBehaviorAdmin‘ to 2.	Compliant	True
Registry-167	Set registry value ‚EnableSecureUIAPaths‘ to 1.	Compliant	True
Registry-168	Set registry value ‚EnableLUA‘ to 1.	Compliant	True
Registry-169	Set registry value ‚ConsentPromptBehaviorUser‘ to 0.	Registry value is ‚3‘. Expected: 0	False
Registry-170	Set registry value ‚EnableInstallerDetection‘ to 1.	Compliant	True
Registry-171	Set registry value ‚FilterAdministratorToken‘ to 1.	Compliant	True
Registry-172	Set registry value ‚EnableVirtualization‘ to 1.	Compliant	True
Registry-173	Set registry value ‚LDAPClientIntegrity‘ to 1.	Compliant	True
Registry-174	Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.	Compliant	True
Registry-222	Set registry value ‚FormSuggest Passwords‘ to 1.	Registry key not found.	False
Registry-223	Ensure ‚Turn on the auto-complete feature for user names and passwords on forms‘ is set to ’no‘.	Registry key not found.	False
Registry-224	Set registry value ‚FormSuggest Passwords‘ to no.	Registry key not found.	False
Registry-225	Ensure ‚Remove „Run this time“ button for outdated ActiveX controls in Internet Explorer ‚ is set to ‚Enabled‘.	Registry value not found.	False
Registry-226	Ensure ‚Turn off blocking of outdated ActiveX controls for Internet Explorer‘ is set to ‚Disabled‘.	Registry value not found.	False
Registry-227	Ensure ‚Allow software to run or install even if the signature is invalid‘ is set to ‚Disabled‘.	Registry key not found.	False
Registry-228	Set registry value ‚CheckExeSignatures‘ to yes.	Registry key not found.	False
Registry-229	Ensure ‚Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows‘ is set to ‚Enabled‘.	Registry value not found.	False
Registry-230	Ensure ‚Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled‘ is set to ‚Enabled‘.	Registry value not found.	False
Registry-231	Set registry value ‚Isolation‘ to PMEM.	Registry value not found.	False
Registry-232	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-234	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-235	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-237	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-238	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-240	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-241	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-242	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-244	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-246	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-247	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-249	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-251	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-252	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-253	Set registry value ‚(Reserved)‘ to 1.	Registry key not found.	False
Registry-254	Set registry value ‚explorer.exe‘ to 1.	Registry key not found.	False
Registry-255	Set registry value ‚iexplore.exe‘ to 1.	Registry key not found.	False
Registry-256	Set registry value ‚PreventOverrideAppRepUnknown‘ to 1.	Registry key not found.	False
Registry-257	Set registry value ‚PreventOverride‘ to 1.	Registry key not found.	False
Registry-258	Ensure ‚Prevent managing SmartScreen Filter‘ is set to ‚On‘.	Registry key not found.	False
Registry-259	Set registry value ‚NoCrashDetection‘ to 1.	Registry key not found.	False
Registry-260	Ensure ‚Turn off the Security Settings Check feature‘ is set to ‚Disabled‘.	Registry key not found.	False
Registry-261	Ensure ‚Prevent per-user installation of ActiveX controls‘ is set to ‚Enabled‘.	Registry key not found.	False
Registry-262	Ensure ‚Specify use of ActiveX Installer Service for installation of ActiveX controls‘ is set to ‚Enabled‘.	Registry key not found.	False
Registry-263	Set registry value ‚Security_zones_map_edit‘ to 1.	Registry value not found.	False
Registry-264	Set registry value ‚Security_options_edit‘ to 1.	Registry value not found.	False
Registry-265	Set registry value ‚Security_HKLM_only‘ to 1.	Registry value not found.	False
Registry-266	Ensure ‚Check for server certificate revocation‘ is set to ‚Enabled‘.	Registry value not found.	False
Registry-267	Ensure ‚Prevent ignoring certificate errors‘ is set to ‚Enabled‘.	Registry value not found.	False
Registry-268	Set registry value ‚WarnOnBadCertRecving‘ to 1.	Registry value not found.	False
Registry-269	Ensure ‚Allow fallback to SSL 3.0 (Internet Explorer)‘ is set to ‚No Sites‘.	Registry value not found.	False
Registry-270	Ensure ‚Turn off encryption support‘ is set to ‚Use TLS 1.1 and TLS 1.2‘.	Registry value not found.	False
Registry-271	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-272	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-273	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-274	Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-275	Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-276	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-277	Ensure ‚Intranet Sites: Include all network paths (UNCs)‘ is set to ‚Disabled‘.	Registry key not found.	False
Registry-278	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-279	Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-280	Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-281	Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-282	Ensure ‚Java permissions‘ is set to ‚High safety‘.	Registry key not found.	False
Registry-283	Ensure ‚Java permissions‘ is set to ‚High safety‘.	Registry key not found.	False
Registry-284	Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-285	Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-286	Ensure ‚Run .NET Framework-reliant components signed with Authenticode‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-287	Ensure ‚Allow script-initiated windows without size or position constraints‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-288	Ensure ‚Allow drag and drop or copy and paste files‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-289	Ensure ‚Include local path when user is uploading files to a server‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-290	Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-291	Ensure ‚Access data sources across domains‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-292	Ensure ‚Launching applications and files in an IFRAME‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-293	Ensure ‚Automatic prompting for file downloads‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-294	Ensure ‚Allow scriptlets‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-295	Ensure ‚Allow scripting of Internet Explorer WebBrowser controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-296	Ensure ‚Use Pop-up Blocker‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-297	Ensure ‚Turn on Protected Mode‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-298	Ensure ‚Allow updates to status bar via script‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-299	Ensure ‚Userdata persistence‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-300	Ensure ‚Allow loading of XAML files‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-301	Ensure ‚Run .NET Framework-reliant components not signed with Authenticode‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-302	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-303	Ensure ‚Download signed ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-304	Ensure ‚Logon options‘ is set to ‚Prompt for user name and password‘.	Registry key not found.	False
Registry-305	Ensure ‚Enable dragging of content from different domains within a window‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-306	Ensure ‚Download unsigned ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-307	Ensure ‚Allow only approved domains to use ActiveX controls without prompt‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-308	Ensure ‚Allow cut, copy or paste operations from the clipboard via script‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-309	Ensure ‚Turn on Cross-Site Scripting Filter‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-310	Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-311	Ensure ‚Navigate windows and frames across different domains‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-312	Ensure ‚Enable dragging of content from different domains across windows‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-313	Ensure ‚Web sites in less privileged Web content zones can navigate into this zone‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-314	Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-315	Ensure ‚Show security warning for potentially unsafe files‘ is set to ‚Prompt‘.	Registry key not found.	False
Registry-316	Ensure ‚Allow only approved domains to use the TDC ActiveX control‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-317	Set registry value ‚140C‘ to 3.	Registry key not found.	False
Registry-318	Ensure ‚Allow META REFRESH‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-319	Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-320	Ensure ‚Download signed ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-321	Ensure ‚Navigate windows and frames across different domains‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-322	Ensure ‚Allow only approved domains to use ActiveX controls without prompt‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-323	Ensure ‚Use Pop-up Blocker‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-324	Ensure ‚Download unsigned ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-325	Ensure ‚Userdata persistence‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-326	Ensure ‚Allow cut, copy or paste operations from the clipboard via script‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-327	Ensure ‚Include local path when user is uploading files to a server‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-328	Ensure ‚Access data sources across domains‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-329	Ensure ‚Allow script-initiated windows without size or position constraints‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-330	Ensure ‚Run .NET Framework-reliant components not signed with Authenticode‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-331	Ensure ‚Automatic prompting for file downloads‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-332	Ensure ‚Allow binary and script behaviors‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-333	Ensure ‚Scripting of Java applets‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-334	Ensure ‚Allow file downloads‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-335	Ensure ‚Allow loading of XAML files‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-336	Ensure ‚Allow active scripting‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-337	Ensure ‚Logon options‘ is set to ‚Anonymous logon‘.	Registry key not found.	False
Registry-338	Ensure ‚Run .NET Framework-reliant components signed with Authenticode‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-339	Ensure ‚Turn on Protected Mode‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-340	Ensure ‚Turn on Cross-Site Scripting Filter‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-341	Ensure ‚Java permissions‘ is set to ‚Disable Java‘.	Registry key not found.	False
Registry-342	Ensure ‚Allow scriptlets‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-343	Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-344	Ensure ‚Allow scripting of Internet Explorer WebBrowser controls‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-345	Ensure ‚Enable dragging of content from different domains within a window‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-346	Ensure ‚Allow drag and drop or copy and paste files‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-347	Ensure ‚Allow updates to status bar via script‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-348	Ensure ‚Enable dragging of content from different domains across windows‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-349	Ensure ‚Script ActiveX controls marked safe for scripting‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-350	Ensure ‚Web sites in less privileged Web content zones can navigate into this zone‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-351	Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-352	Ensure ‚Run ActiveX controls and plugins‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-353	Ensure ‚Launching applications and files in an IFRAME‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-354	Ensure ‚Show security warning for potentially unsafe files‘ is set to ‚Disable‘.	Registry key not found.	False
Registry-355	Ensure ‚Allow only approved domains to use the TDC ActiveX control‘ is set to ‚Enable‘.	Registry key not found.	False
Registry-356	Set registry value ‚140C‘ to 3.	Registry key not found.	False

User Rights Assignment–↑

Id	Task	Message	Status
UserRight-176	Ensure ‚SeSecurityPrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-177	Ensure ‚SeRestorePrivilege‘ is set to ‚administrator‘	The user right ‚SeRestorePrivilege‘ contains following unexpected users: BUILTIN\Backup Operators	False
UserRight-178	Ensure ‚SeTakeOwnershipPrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-179	Ensure ‚SeBackupPrivilege‘ is set to ‚administrator‘	The user right ‚SeBackupPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators	False
UserRight-180	Ensure ‚SeDenyRemoteInteractiveLogonRight‘ is set to ‚Local account‘	The user right ‚SeDenyRemoteInteractiveLogonRight‘ contains following unexpected users: BUILTIN\Guests	False
UserRight-181	Ensure ‚SeCreatePermanentPrivilege‘ is set to ’none‘	The user ‚SeCreatePermanentPrivilege‘ setting does not contain the following users: NULL SID	False
UserRight-182	Ensure ‚SeManageVolumePrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-183	Ensure ‚SeLoadDriverPrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-184	Ensure ‚SeLockMemoryPrivilege‘ is set to ’none‘	Compliant	True
UserRight-185	Ensure ‚SeDenyNetworkLogonRight‘ is set to ‚Local account‘	The user right ‚SeDenyNetworkLogonRight‘ contains following unexpected users: LOCAL, BUILTIN\Guests The user ‚SeDenyNetworkLogonRight‘ setting does not contain the following users: NT AUTHORITY\Local account	False
UserRight-186	Ensure ‚SeNetworkLogonRight‘ is set to ‚administrator, Remote Desktop Users‘	The user right ‚SeNetworkLogonRight‘ contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user ‚SeNetworkLogonRight‘ setting does not contain the following users: BUILTIN\Remote Desktop Users	False
UserRight-187	Ensure ‚SeImpersonatePrivilege‘ is set to ‚administrator, Service, Local Service, Network Service‘	Compliant	True
UserRight-188	Ensure ‚SeCreateTokenPrivilege‘ is set to ’none‘	The user ‚SeCreateTokenPrivilege‘ setting does not contain the following users: NULL SID	False
UserRight-189	Ensure ‚SeCreateGlobalPrivilege‘ is set to ‚administrator, Service, Local Service, Network Service‘	Compliant	True
UserRight-190	Ensure ‚SeSystemEnvironmentPrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-191	Ensure ‚SeCreatePagefilePrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-192	Ensure ‚SeInteractiveLogonRight‘ is set to ‚administrator, Users‘	The user right ‚SeInteractiveLogonRight‘ contains following unexpected users: Hostname1\OldGuest, BUILTIN\Backup Operators	False
UserRight-193	Ensure ‚SeRemoteShutdownPrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-194	Ensure ‚SeDebugPrivilege‘ is set to ‚administrator‘	The user ‚SeDebugPrivilege‘ setting does not contain the following users: BUILTIN\Administrators	False
UserRight-195	Ensure ‚SeTrustedCredManAccessPrivilege‘ is set to ’none‘	The user ‚SeTrustedCredManAccessPrivilege‘ setting does not contain the following users: NULL SID	False
UserRight-196	Ensure ‚SeProfileSingleProcessPrivilege‘ is set to ‚administrator‘	Compliant	True
UserRight-197	Ensure ‚SeTcbPrivilege‘ is set to ’none‘	The user ‚SeTcbPrivilege‘ setting does not contain the following users: NULL SID	False
UserRight-198	Ensure ‚SeEnableDelegationPrivilege‘ is set to ’none‘	The user ‚SeEnableDelegationPrivilege‘ setting does not contain the following users: NULL SID	False

Account Policies–↑

Id	Task	Message	Status
AccountPolicy-001	Ensure ‚MinimumPasswordLength‘ is set to ’14‘.	Compliant	True
AccountPolicy-002	Ensure ‚PasswordComplexity‘ is set to ‚1‘.	Compliant	True
AccountPolicy-003	Ensure ‚PasswordHistorySize‘ is set to ’24‘.	Compliant	True
AccountPolicy-004	Ensure ‚LockoutBadCount‘ is set to ’10‘.	‚LockoutBadCount‘ currently set to: 7. Expected: 10	False
AccountPolicy-005	Ensure ‚ResetLockoutCount‘ is set to ’15‘.	Compliant	True
AccountPolicy-006	Ensure ‚LockoutDuration‘ is set to ’15‘.	Compliant	True
AccountPolicy-007	Ensure ‚ClearTextPassword‘ is set to ‚0‘.	Compliant	True

Advanced Audit Policy Configuration–↑

Id	Task	Message	Status
AuditPolicy-199	Ensure ‚Credential Validation‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-200	Ensure ‚Security Group Management‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-201	Ensure ‚User Account Management‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-202	Ensure ‚Plug and Play Events‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-203	Ensure ‚Process Creation‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-204	Ensure ‚Account Lockout‘ is set to ‚Failure‘.	Compliant	True
AuditPolicy-205	Ensure ‚Group Membership‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-206	Ensure ‚Logon‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-207	Ensure ‚Other Logon/Logoff Events‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-208	Ensure ‚Special Logon‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-209	Ensure ‚Detailed File Share‘ is set to ‚Failure‘.	Compliant	True
AuditPolicy-210	Ensure ‚File Share‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-211	Ensure ‚Other Object Access Events‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-212	Ensure ‚Removable Storage‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-213	Ensure ‚Audit Policy Change‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-214	Ensure ‚Authentication Policy Change‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-215	Ensure ‚MPSSVC Rule-Level Policy Change‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-216	Ensure ‚Other Policy Change Events‘ is set to ‚Failure‘.	Compliant	True
AuditPolicy-217	Ensure ‚Sensitive Privilege Use‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-218	Ensure ‚Other System Events‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True
AuditPolicy-219	Ensure ‚Security State Change‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-220	Ensure ‚Security System Extension‘ is set to ‚Success‘.	Compliant	True
AuditPolicy-221	Ensure ‚System Integrity‘ is set to ‚Success‘ and is set to ‚Failure‘.	Compliant	True

CIS Benchmarks–↑

This section contains all benchmarks from CIS

Registry Settings/Group Policies–↑

Id	Task	Message	Status
1.1.6	(L1) Ensure ‚Relax minimum password length limits‘ is set to ‚Enabled‘	Compliant	True
18.1.1.1	(L1) Ensure ‚Prevent enabling lock screen camera‘ is set to ‚Enabled‘	Compliant	True
18.1.1.2	(L1) Ensure ‚Prevent enabling lock screen slide show‘ is set to ‚Enabled‘	Compliant	True
18.1.2.2	(L1) Ensure ‚Allow users to enable online speech recognition services‘ is set to ‚Disabled‘	Compliant	True
18.1.3	(L2) Ensure ‚Allow Online Tips‘ is set to ‚Disabled‘	Compliant	True
18.2.2	(L1) Ensure ‚Do not allow password expiration time longer than required by policy‘ is set to ‚Enabled‘	Registry key not found.	False
18.2.3	(L1) Ensure ‚Enable Local Admin Password Management‘ is set to ‚Enabled‘	Registry key not found.	False
18.2.4	(L1) Ensure ‚Password Settings: Password Complexity‘ is set to ‚Enabled: Large letters + small letters + numbers + special characters‘	Registry key not found.	False
18.2.5	(L1) Ensure ‚Password Settings: Password Length‘ is set to ‚Enabled: 15 or more‘	Registry key not found.	False
18.2.6	(L1) Ensure ‚Password Settings: Password Age (Days)‘ is set to ‚Enabled: 30 or fewer‘	Registry key not found.	False
18.3.1	(L1) Ensure ‚Apply UAC restrictions to local accounts on network logons‘ is set to ‚Enabled‘	Compliant	True
18.3.2	(L1) Ensure ‚Configure SMB v1 client driver‘ is set to ‚Enabled: Disable driver (recommended)‘	Compliant	True
18.3.3	(L1) Ensure ‚Configure SMB v1 server‘ is set to ‚Disabled‘	Compliant	True
18.3.4	(L1) Ensure ‚Enable Structured Exception Handling Overwrite Protection (SEHOP)‘ is set to ‚Enabled‘	Compliant	True
18.3.5	(L1) Set registry value ‚RestrictDriverInstallationToAdministrators‘ to 1.	Compliant	True
18.3.6	(L1) Ensure ‚NetBT NodeType configuration‘ is set to ‚Enabled: P-node (recommended)‘	Compliant	True
18.3.7	(L1) Ensure ‚WDigest Authentication‘ is set to ‚Disabled‘	Compliant	True
18.4.1	(L1) Ensure ‚MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)‘ is set to ‚Disabled‘	Compliant	True
18.4.10	(L1) Ensure ‚MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)‘ is set to ‚Enabled: 5 or fewer seconds‘	Compliant	True
18.4.11	(L2) Ensure ‚MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted‘ is set to ‚Enabled: 3‘	Compliant	True
18.4.12	(L2) Ensure ‚MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted‘ is set to ‚Enabled: 3‘	Compliant	True
18.4.13	(L1) Ensure ‚MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning‘ is set to ‚Enabled: 90% or less‘	Compliant	True
18.4.2	(L1) Ensure ‚MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)‘ is set to ‚Enabled: Highest protection, source routing is completely disabled‘	Compliant	True
18.4.3	(L1) Ensure ‚MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)‘ is set to ‚Enabled: Highest protection, source routing is completely disabled‘	Compliant	True
18.4.4	(L2) Ensure ‚MSS: (DisableSavePassword) Prevent the dial-up password from being saved‘ is set to ‚Enabled‘	Compliant	True
18.4.5	(L1) Ensure ‚MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes‘ is set to ‚Disabled‘	Compliant	True
18.4.6	(L2) Ensure ‚MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds‘ is set to ‚Enabled: 300,000 or 5 minutes (recommended)‘	Compliant	True
18.4.7	(L1) Ensure ‚MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers‘ is set to ‚Enabled‘	Compliant	True
18.4.8	(L2) Ensure ‚MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)‘ is set to ‚Disabled‘	Compliant	True
18.4.9	(L1) Ensure ‚MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)‘ is set to ‚Enabled‘	Compliant	True
18.5.10.2	(L2) Ensure ‚Turn off Microsoft Peer-to-Peer Networking Services‘ is set to ‚Enabled‘	Compliant	True
18.5.11.2	(L1) Ensure ‚Prohibit installation and configuration of Network Bridge on your DNS domain network‘ is set to ‚Enabled‘	Compliant	True
18.5.11.3	(L1) Ensure ‚Prohibit use of Internet Connection Sharing on your DNS domain network‘ is set to ‚Enabled‘	Compliant	True
18.5.11.4	(L1) Ensure ‚Require domain users to elevate when setting a network’s location‘ is set to ‚Enabled‘	Compliant	True
18.5.14.1	(L1) Ensure ‚Hardened UNC Paths‘ is set to ‚Enabled, with „Require Mutual Authentication“ and „Require Integrity“ set for all NETLOGON and SYSVOL shares‘	Compliant	True
18.5.19.2.1	(L2) Disable IPv6 (Ensure TCPIP6 Parameter ‚DisabledComponents‘ is set to ‚0xff (255)‘)	Compliant	True
18.5.20.1	(L2) Ensure ‚Configuration of wireless settings using Windows Connect Now‘ is set to ‚Disabled‘	Compliant	True
18.5.20.2	(L2) Ensure ‚Prohibit access of the Windows Connect Now wizards‘ is set to ‚Enabled‘	Compliant	True
18.5.21.1	(L1) Ensure ‚Minimize the number of simultaneous connections to the Internet or a Windows Domain‘ is set to ‚Enabled: 3 = Prevent Wi-Fi when on Ethernet‘	Registry value not found.	False
18.5.21.2	(L1) Ensure ‚Prohibit connection to non-domain networks when connected to domain authenticated network‘ is set to ‚Enabled‘	Compliant	True
18.5.23.2.1	(L1) Ensure ‚Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services‘ is set to ‚Disabled‘	Compliant	True
18.5.4.1	(L1) Ensure ‚Configure DNS over HTTPS (DoH) name resolution‘ is set to ‚Enabled: Allow DoH‘ or higher (Automated)	Compliant	True
18.5.4.2	(L1) Ensure ‚Turn off multicast name resolution‘ is set to ‚Enabled‘	Compliant	True
18.5.5.1	(L2) Ensure ‚Enable Font Providers‘ is set to ‚Disabled‘	Compliant	True
18.5.8.1	(L1) Ensure ‚Enable insecure guest logons‘ is set to ‚Disabled‘	Compliant	True
18.5.9.1.1	(L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Domain)	Compliant	True
18.5.9.1.2	(L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Public)	Compliant	True
18.5.9.1.3	(L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘	Compliant	True
18.5.9.1.4	(L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Private)	Compliant	True
18.5.9.2.1	(L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Domain)	Compliant	True
18.5.9.2.2	(L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Public)	Compliant	True
18.5.9.2.3	(L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘	Compliant	True
18.5.9.2.4	(L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Private)	Compliant	True
18.6.1	(L1) Ensure ‚Allow Print Spooler to accept client connections‘ is set to ‚Disabled‘	Compliant	True
18.6.2	(L1) Ensure ‚Point and Print Restrictions: When installing drivers for a new connection‘ is set to ‚Enabled: Show warning and elevation prompt‘	Compliant	True
18.6.3	(L1) Ensure ‚Point and Print Restrictions: When updating drivers for an existing connection‘ is set to ‚Enabled: Show warning and elevation prompt‘	Compliant	True
18.7.1.1	(L2) Ensure ‚Turn off notifications network usage‘ is set to ‚Enabled‘	Compliant	True
18.8.14.1	(L1) Ensure ‚Boot-Start Driver Initialization Policy‘ is set to ‚Enabled: Good, unknown and bad but critical‘	Compliant	True
18.8.21.2	(L1) Ensure ‚Configure registry policy processing: Do not apply during periodic background processing‘ is set to ‚Enabled: FALSE‘	Compliant	True
18.8.21.3	(L1) Ensure ‚Configure registry policy processing: Process even if the Group Policy objects have not changed‘ is set to ‚Enabled: TRUE‘	Compliant	True
18.8.21.4	(L1) Ensure ‚Continue experiences on this device‘ is set to ‚Disabled‘	Compliant	True
18.8.21.5	(L1) Ensure ‚Turn off background refresh of Group Policy‘ is set to ‚Disabled‘	Compliant	True
18.8.22.1.1	(L2) Ensure ‚Turn off access to the Store‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.10	(L2) Ensure ‚Turn off the „Order Prints“ picture task‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.11	(L2) Ensure ‚Turn off the „Publish to Web“ task for files and folders‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.12	(L2) Ensure ‚Turn off the Windows Messenger Customer Experience Improvement Program‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.13	(L2) Ensure ‚Turn off Windows Customer Experience Improvement Program‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.14	(L2) Ensure ‚Turn off Windows Error Reporting‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.2	(L1) Ensure ‚Turn off downloading of print drivers over HTTP‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.3	(L2) Ensure ‚Turn off handwriting personalization data sharing‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.4	(L2) Ensure ‚Turn off handwriting recognition error reporting‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.5	(L2) Ensure ‚Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.6	(L1) Ensure ‚Turn off Internet download for Web publishing and online ordering wizards‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.7	(L2) Ensure ‚Turn off printing over HTTP‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.8	(L2) Ensure ‚Turn off Registration if URL connection is referring to Microsoft.com‘ is set to ‚Enabled‘	Compliant	True
18.8.22.1.9	(L2) Ensure ‚Turn off Search Companion content file updates‘ is set to ‚Enabled‘	Compliant	True
18.8.25.1.1	(L2) Ensure ‚Support device authentication using certificate‘ is set to ‚Enabled: Automatic‘ (DevicePKInitBehavior)	Compliant	True
18.8.25.1.2	(L2) Ensure ‚Support device authentication using certificate‘ is set to ‚Enabled: Automatic‘ (DevicePKInitEnabled)	Compliant	True
18.8.26.1	(BL) Ensure ‚Enumeration policy for external devices incompatible with Kernel DMA Protection‘ is set to ‚Enabled: Block All‘	Compliant	True
18.8.27.1	(L2) Ensure ‚Disallow copying of user input methods to the system account for sign-in‘ is set to ‚Enabled‘	Compliant	True
18.8.28.1	(L1) Ensure ‚Block user from showing account details on sign-in‘ is set to ‚Enabled‘	Compliant	True
18.8.28.2	(L1) Ensure ‚Do not display network selection UI‘ is set to ‚Enabled‘	Compliant	True
18.8.28.3	(L1) Ensure ‚Do not enumerate connected users on domain-joined computers‘ is set to ‚Enabled‘	Compliant	True
18.8.28.4	(L1) Ensure ‚Enumerate local users on domain-joined computers‘ is set to ‚Disabled‘	Compliant	True
18.8.28.5	(L1) Ensure ‚Turn off app notifications on the lock screen‘ is set to ‚Enabled‘	Compliant	True
18.8.28.6	(L1) Ensure ‚Turn off picture password sign-in‘ is set to ‚Enabled‘	Compliant	True
18.8.28.7	(L1) Ensure ‚Turn on convenience PIN sign-in‘ is set to ‚Disabled‘	Compliant	True
18.8.3.1	(L1) Ensure ‚Include command line in process creation events‘ is set to ‚Disabled‘	Compliant	True
18.8.31.1	(L2) Ensure ‚Allow Clipboard synchronization across devices‘ is set to ‚Disabled‘	Compliant	True
18.8.31.2	(L2) Ensure ‚Allow upload of User Activities‘ is set to ‚Disabled‘	Compliant	True
18.8.34.6.1	(L1) Ensure ‚Allow network connectivity during connected-standby (on battery)‘ is set to ‚Disabled‘	Compliant	True
18.8.34.6.2	(L1) Ensure ‚Allow network connectivity during connected-standby (plugged in)‘ is set to ‚Disabled‘	Compliant	True
18.8.34.6.3	(BL) Ensure ‚Allow standby states (S1-S3) when sleeping (on battery)‘ is set to ‚Disabled‘	Compliant	True
18.8.34.6.4	(BL) Ensure ‚Allow standby states (S1-S3) when sleeping (plugged in)‘ is set to ‚Disabled‘	Compliant	True
18.8.34.6.5	(L1) Ensure ‚Require a password when a computer wakes (on battery)‘ is set to ‚Enabled‘	Compliant	True
18.8.34.6.6	(L1) Ensure ‚Require a password when a computer wakes (plugged in)‘ is set to ‚Enabled‘	Compliant	True
18.8.36.1	(L1) Ensure ‚Configure Offer Remote Assistance‘ is set to ‚Disabled‘	Compliant	True
18.8.36.2	(L1) Ensure ‚Configure Solicited Remote Assistance‘ is set to ‚Disabled‘	Compliant	True
18.8.37.1	(L1) Ensure ‚Enable RPC Endpoint Mapper Client Authentication‘ is set to ‚Enabled‘	Compliant	True
18.8.37.2	(L1) Ensure ‚Restrict Unauthenticated RPC clients‘ is set to ‚Enabled: Authenticated‘	Compliant	True
18.8.4.1	(L1) Ensure ‚Encryption Oracle Remediation‘ is set to ‚Enabled: Force Updated Clients‘	Compliant	True
18.8.4.2	(L1) Ensure ‚Remote host allows delegation of non-exportable credentials‘ is set to ‚Enabled‘	Compliant	True
18.8.48.11.1	(L2) Ensure ‚Enable/Disable PerfTrack‘ is set to ‚Disabled‘	Compliant	True
18.8.48.5.1	(L2) Ensure ‚Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider‘ is set to ‚Disabled‘	Compliant	True
18.8.5.1	(NG) Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled‘	Compliant	True
18.8.5.2	(NG) Ensure ‚Turn On Virtualization Based Security: Select Platform Security Level‘ is set to ‚Secure Boot and DMA Protection‘	Compliant	True
18.8.5.3	(NG) Ensure ‚Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity‘ is set to ‚Enabled with UEFI lock‘	Compliant	True
18.8.5.4	(NG) Ensure ‚Turn On Virtualization Based Security: Require UEFI Memory Attributes Table‘ is set to ‚True (checked)‘	Compliant	True
18.8.5.5	(NG) Ensure ‚Turn On Virtualization Based Security: Credential Guard Configuration‘ is set to ‚Enabled with UEFI lock‘	Compliant	True
18.8.5.6	(NG) Ensure ‚Turn On Virtualization Based Security: Secure Launch Configuration‘ is set to ‚Enabled‘	Compliant	True
18.8.50.1	(L2) Ensure ‚Turn off the advertising ID‘ is set to ‚Enabled‘	Compliant	True
18.8.53.1.1	(L2) Ensure ‚Enable Windows NTP Client‘ is set to ‚Enabled‘	Compliant	True
18.8.53.1.2	(L2) Ensure ‚Enable Windows NTP Server‘ is set to ‚Disabled‘	Compliant	True
18.8.7.1.1	(BL) Ensure ‚Prevent installation of devices that match any of these device IDs‘ is set to ‚Enabled‘	Registry value not found.	False
18.8.7.1.2	(BL) Ensure ‚Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs‘ is set to ‚PCI\CC_0C0A‘	Compliant	True
18.8.7.1.3	(BL) Ensure ‚Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.‘ is set to ‚True‘ (checked)	Registry value not found.	False
18.8.7.1.4	(BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes‘ is set to ‚Enabled‘	Compliant	True
18.8.7.1.5	(BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup‘ is set to ‚IEEE 1394 device setup classes‘	Compliant	True
18.8.7.1.6	(BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.‘ is set to ‚True‘ (checked)	Compliant	True
18.8.7.2	(L1) Prevent Windows from retrieving device metadata from the Internet	Compliant	True
18.9.10.1.1	(L1) Ensure ‚Configure enhanced anti-spoofing‘ is set to ‚Enabled‘	Compliant	True
18.9.100.1	(L1) Ensure ‚Turn on PowerShell Script Block Logging‘ is set to ‚Disabled‘	Compliant	True
18.9.100.2	(L1) Ensure ‚Turn on PowerShell Transcription‘ is set to ‚Disabled‘	Compliant	True
18.9.102.1.1	(L1) Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘	Compliant	True
18.9.102.1.2	(L1) Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘	Compliant	True
18.9.102.1.3	(L1) Ensure ‚Disallow Digest authentication‘ is set to ‚Enabled‘	Compliant	True
18.9.102.2.1	(L1) Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘	Compliant	True
18.9.102.2.2	(L2) Ensure ‚Allow remote server management through WinRM‘ is set to ‚Disabled‘	Registry value not found.	False
18.9.102.2.3	(L1) Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘	Compliant	True
18.9.102.2.4	(L1) Ensure ‚Disallow WinRM from storing RunAs credentials‘ is set to ‚Enabled‘	Compliant	True
18.9.103.1	(L2) Ensure ‚Allow Remote Shell Access‘ is set to ‚Disabled‘	Registry key not found.	False
18.9.104.1	(L1) Ensure ‚Allow clipboard sharing with Windows Sandbox‘ is set to ‚Disabled‘	Compliant	True
18.9.104.2	(L1) Ensure ‚Allow networking in Windows Sandbox‘ is set to ‚Disabled‘	Compliant	True
18.9.105.2.1	(L1) Ensure ‚Prevent users from modifying settings‘ is set to ‚Enabled‘	Compliant	True
18.9.108.1.1	(L1) Ensure ‚No auto-restart with logged on users for scheduled automatic updates installations‘ is set to ‚Disabled‘	Compliant	True
18.9.108.2.1	(L1) Ensure ‚Configure Automatic Updates‘ is set to ‚Enabled‘	Compliant	True
18.9.108.2.2	(L1) Ensure ‚Configure Automatic Updates: Scheduled install day‘ is set to ‚0 – Every day‘	Compliant	True
18.9.108.2.3	(L1) Ensure ‚Remove access to „Pause updates“ feature‘ is set to ‚Enabled‘	Compliant	True
18.9.108.4.1	(L1) Ensure ‚Manage preview builds‘ is set to ‚Enabled: Disable preview builds‘ (ManagePreviewBuildsPolicyValue)	Compliant	True
18.9.108.4.2.1	(L1) Ensure ‚Select when Preview Builds and Feature Updates are received‘ is set to ‚Enabled: Semi-Annual Channel, 180 or more days‘ (DeferFeatureUpdates)	Compliant	True
18.9.108.4.2.2	(L1) Ensure ‚Select when Preview Builds and Feature Updates are received‘ is set to ‚Enabled: Semi-Annual Channel, 180 or more days‘ (DeferFeatureUpdatesPeriodInDays)	Compliant	True
18.9.108.4.3.1	(L1) Ensure ‚Select when Quality Updates are received‘ is set to ‚Enabled: 0 days‘ (DeferQualityUpdates)	Compliant	True
18.9.108.4.3.2	(L1) Ensure ‚Select when Quality Updates are received‘ is set to ‚Enabled: 0 days‘ (DeferQualityUpdatesPeriodInDays)	Compliant	True
18.9.11.1.1	(BL) Ensure ‚Allow access to BitLocker-protected fixed data drives from earlier versions of Windows‘ is set to ‚Disabled‘	Compliant	True
18.9.11.1.10	(BL) Ensure ‚Configure use of hardware-based encryption for fixed data drives‘ is set to ‚Disabled‘	Compliant	True
18.9.11.1.11	(BL) Ensure ‚Configure use of passwords for fixed data drives‘ is set to ‚Disabled‘	Compliant	True
18.9.11.1.12	(BL) Ensure ‚Configure use of smart cards on fixed data drives‘ is set to ‚Enabled‘	Compliant	True
18.9.11.1.13	(BL) Ensure ‚Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.1.2	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered‘ is set to ‚Enabled‘	Compliant	True
18.9.11.1.3	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.1.4	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Recovery Password‘ is set to ‚Enabled: Allow 48-digit recovery password‘	Compliant	True
18.9.11.1.5	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Recovery Key‘ is set to ‚Enabled: Allow 256-bit recovery key‘	Compliant	True
18.9.11.1.6	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.1.7	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives‘ is set to ‚Enabled: False‘	Compliant	True
18.9.11.1.8	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS‘ is set to ‚Enabled: Backup recovery passwords and key packages‘	Compliant	True
18.9.11.1.9	(BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives‘ is set to ‚Enabled: False‘	Compliant	True
18.9.11.2.1	(BL) Ensure ‚Allow enhanced PINs for startup‘ is set to ‚Enabled‘	Compliant	True
18.9.11.2.10	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.2.11	(BL) Ensure ‚Configure use of hardware-based encryption for operating system drives‘ is set to ‚Disabled‘	Compliant	True
18.9.11.2.12	(BL) Ensure ‚Configure use of passwords for operating system drives‘ is set to ‚Disabled‘	Compliant	True
18.9.11.2.13	(BL) Ensure ‚Require additional authentication at startup‘ is set to ‚Enabled‘	Compliant	True
18.9.11.2.14	(BL) Ensure ‚Require additional authentication at startup: Allow BitLocker without a compatible TPM‘ is set to ‚Enabled: False‘	Registry value is ‚1‘. Expected: 0	False
18.9.11.2.2	(BL) Ensure ‚Allow Secure Boot for integrity validation‘ is set to ‚Enabled‘	Compliant	True
18.9.11.2.3	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered‘ is set to ‚Enabled‘	Compliant	True
18.9.11.2.4	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: False‘	Compliant	True
18.9.11.2.5	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Recovery Password‘ is set to ‚Enabled: Require 48-digit recovery password‘	Compliant	True
18.9.11.2.6	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Recovery Key‘ is set to ‚Enabled: Do not allow 256-bit recovery key‘	Compliant	True
18.9.11.2.7	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.2.8	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.2.9	(BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:‘ is set to ‚Enabled: Store recovery passwords and key packages‘	Compliant	True
18.9.11.3.1	(BL) Ensure ‚Allow access to BitLocker-protected removable data drives from earlier versions of Windows‘ is set to ‚Disabled‘	Compliant	True
18.9.11.3.10	(BL) Ensure ‚Configure use of hardware-based encryption for removable data drives‘ is set to ‚Disabled‘	Compliant	True
18.9.11.3.11	(BL) Ensure ‚Configure use of passwords for removable data drives‘ is set to ‚Disabled‘	Registry value is ‚1‘. Expected: 0	False
18.9.11.3.12	(BL) Ensure ‚Configure use of smart cards on removable data drives‘ is set to ‚Enabled‘	Compliant	True
18.9.11.3.13	(BL) Ensure ‚Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives‘ is set to ‚Enabled: True‘	Registry value not found.	False
18.9.11.3.14	(BL) Ensure ‚Deny write access to removable drives not protected by BitLocker‘ is set to ‚Enabled‘	Compliant	True
18.9.11.3.15	(BL) Ensure ‚Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization‘ is set to ‚Enabled: False‘	Compliant	True
18.9.11.3.2	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered‘ is set to ‚Enabled‘	Registry value not found.	False
18.9.11.3.3	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.3.4	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Recovery Password‘ is set to ‚Enabled: Do not allow 48-digit recovery password‘	Registry value not found.	False
18.9.11.3.5	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Recovery Key‘ is set to ‚Enabled: Do not allow 256-bit recovery key‘	Compliant	True
18.9.11.3.6	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘	Compliant	True
18.9.11.3.7	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives‘ is set to ‚Enabled: False‘	Compliant	True
18.9.11.3.8	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:‘ is set to ‚Enabled: Backup recovery passwords and key packages‘	Compliant	True
18.9.11.3.9	(BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives‘ is set to ‚Enabled: False‘	Compliant	True
18.9.11.4	(BL) Ensure ‚Disable new DMA devices when this computer is locked‘ is set to ‚Enabled‘	Compliant	True
18.9.12.1	(L2) Ensure ‚Allow Use of Camera‘ is set to ‚Disabled‘	Registry key not found.	False
18.9.14.1	(L1) Ensure ‚Turn off cloud consumer account state content‘ is set to ‚Enabled‘	Compliant	True
18.9.14.2	(L2) Ensure ‚Turn off cloud optimized content‘ is set to ‚Enabled‘	Compliant	True
18.9.14.3	(L1) Ensure ‚Turn off Microsoft consumer experiences‘ is set to ‚Enabled‘	Compliant	True
18.9.15.1	(L1) Ensure ‚Require pin for pairing‘ is set to ‚Enabled: First Time‘ OR ‚Enabled: Always‘	Compliant	True
18.9.16.1	(L1) Ensure ‚Do not display the password reveal button‘ is set to ‚Enabled‘	Compliant	True
18.9.16.2	(L1) Ensure ‚Enumerate administrator accounts on elevation‘ is set to ‚Disabled‘	Compliant	True
18.9.16.3	(L1) Ensure ‚Prevent the use of security questions for local accounts‘ is set to ‚Enabled‘	Compliant	True
18.9.17.1	(L1) Ensure ‚Allow Telemetry‘ is set to ‚Enabled: 0 – Security [Enterprise Only]‘ or ‚Enabled: 1 – Basic‘	Compliant	True
18.9.17.2	(L2) Ensure ‚Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service‘ is set to ‚Enabled: Disable Authenticated Proxy usage‘	Compliant	True
18.9.17.3	(L1) Ensure ‚Disable OneSettings Downloads‘ is set to ‚Enabled‘	Compliant	True
18.9.17.4	(L1) Ensure ‚Do not show feedback notifications‘ is set to ‚Enabled‘	Compliant	True
18.9.17.5	(L1) Ensure ‚Enable OneSettings Auditing‘ is set to ‚Enabled	Compliant	True
18.9.17.6	(L1) Ensure ‚Limit Diagnostic Log Collection‘ is set to ‚Enabled‘	Compliant	True
18.9.17.7	(L1) Ensure ‚Limit Dump Collection‘ is set to ‚Enabled‘	Compliant	True
18.9.17.8	(L1) Ensure ‚Toggle user control over Insider builds‘ is set to ‚Disabled‘	Compliant	True
18.9.18.1	(L1) Ensure ‚Download Mode‘ is NOT set to ‚Enabled: Internet‘	Compliant	True
18.9.27.1.1	(L1) Ensure ‚Application: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘	Compliant	True
18.9.27.1.2	(L1) Ensure ‚Application: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘	Compliant	True
18.9.27.2.1	(L1) Ensure ‚Security: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘	Compliant	True
18.9.27.2.2	(L1) Ensure ‚Security: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 196,608 or greater‘	Compliant	True
18.9.27.3.1	(L1) Ensure ‚Setup: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘	Compliant	True
18.9.27.3.2	(L1) Ensure ‚Setup: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘	Compliant	True
18.9.27.4.1	(L1) Ensure ‚System: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘	Compliant	True
18.9.27.4.2	(L1) Ensure ‚System: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘	Compliant	True
18.9.31.2	(L1) Ensure ‚Turn off Data Execution Prevention for Explorer‘ is set to ‚Disabled‘	Compliant	True
18.9.31.3	(L1) Ensure ‚Turn off heap termination on corruption‘ is set to ‚Disabled‘	Compliant	True
18.9.31.4	(L1) Ensure ‚Turn off shell protocol protected mode‘ is set to ‚Disabled‘	Compliant	True
18.9.36.1	(L1) Ensure ‚Prevent the computer from joining a homegroup‘ is set to ‚Enabled‘	Compliant	True
18.9.4.1	(L2) Ensure ‚Allow a Windows app to share application data between users‘ is set to ‚Disabled‘	Compliant	True
18.9.4.2	(L1) Ensure ‚Prevent non-admin users from installing packaged Windows apps‘ is set to ‚Enabled‘	Compliant	True
18.9.41.1	(L2) Ensure ‚Turn off location‘ is set to ‚Enabled‘	Compliant	True
18.9.45.1	(L2) Ensure ‚Allow Message Service Cloud Sync‘ is set to ‚Disabled‘	Compliant	True
18.9.46.1	(L1) Ensure ‚Block all consumer Microsoft account user authentication‘ is set to ‚Enabled‘	Compliant	True
18.9.47.11.1	(L2) Ensure ‚Configure Watson events‘ is set to ‚Disabled‘	Compliant	True
18.9.47.12.1	(L1) Ensure ‚Scan removable drives‘ is set to ‚Enabled‘	Compliant	True
18.9.47.12.2	(L1) Ensure ‚Turn on e-mail scanning‘ is set to ‚Enabled‘	Compliant	True
18.9.47.15	(L1) Ensure ‚Configure detection for potentially unwanted applications‘ is set to ‚Enabled: Block‘	Compliant	True
18.9.47.16	(L1) Ensure ‚Turn off Microsoft Defender AntiVirus‘ is set to ‚Disabled‘	Compliant	True
18.9.47.4.1	(L1) Ensure ‚Configure local setting override for reporting to Microsoft MAPS‘ is set to ‚Disabled‘	Compliant	True
18.9.47.4.2	(L2) Ensure ‚Join Microsoft MAPS‘ is set to ‚Disabled‘	Compliant	True
18.9.47.5.1.1	(L1) Ensure ‚Configure Attack Surface Reduction rules‘ is set to ‚Enabled‘	Compliant	True
18.9.47.5.1.2.1	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office communication application from creating child processes).	Compliant	True
18.9.47.5.1.2.10	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block JavaScript or VBScript from launching downloaded executable content).	Compliant	True
18.9.47.5.1.2.11	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block all Office applications from creating child processes).	Compliant	True
18.9.47.5.1.2.12	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block persistence through WMI event subscription).	Compliant	True
18.9.47.5.1.2.2	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office applications from creating executable content).	Compliant	True
18.9.47.5.1.2.3	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block execution of potentially obfuscated scripts).	Compliant	True
18.9.47.5.1.2.4	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office applications from injecting code into other processes).	Compliant	True
18.9.47.5.1.2.5	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Adobe Reader from creating child processes).	Compliant	True
18.9.47.5.1.2.6	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Win32 API calls from Office macros).	Compliant	True
18.9.47.5.1.2.7	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block credential stealing from the Windows local security authority subsystem (lsass.exe)).	Compliant	True
18.9.47.5.1.2.8	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block untrusted and unsigned processes that run from USB).	Compliant	True
18.9.47.5.1.2.9	(L1) Set the state for each Attack Surface Reduction (ASR) rule (Block executable content from email client and webmail).	Compliant	True
18.9.47.5.3.1	(L1) Ensure ‚Prevent users and apps from accessing dangerous websites‘ is set to ‚Enabled: Block‘	Compliant	True
18.9.47.6.1	(L2) Ensure ‚Enable file hash computation feature‘ is set to ‚Enabled‘	Compliant	True
18.9.47.9.1	(L1) Ensure ‚Scan all downloaded files and attachments‘ is set to ‚Enabled‘	Compliant	True
18.9.47.9.2	(L1) Ensure ‚Turn off real-time protection‘ is set to ‚Disabled‘	Compliant	True
18.9.47.9.3	(L1) Ensure ‚Turn on behavior monitoring‘ is set to ‚Enabled‘	Compliant	True
18.9.47.9.4	(L1) Ensure ‚Turn on script scanning‘ is set to ‚Enabled‘	Compliant	True
18.9.48.1	(NG) Ensure ‚Allow auditing events in Microsoft Defender Application Guard‘ is set to ‚Enabled‘	Compliant	True
18.9.48.2	(NG) Ensure ‚Allow camera and microphone access in Microsoft Defender Application Guard‘ is set to ‚Disabled‘	Compliant	True
18.9.48.3	(NG) Ensure ‚Allow data persistence for Microsoft Defender Application Guard‘ is set to ‚Disabled‘	Compliant	True
18.9.48.4	(NG) Ensure ‚Allow files to download and save to the host operating system from Microsoft Defender Application Guard‘ is set to ‚Disabled‘	Compliant	True
18.9.48.5	(NG) Ensure ‚Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting‘ is set to ‚Enabled: Enable clipboard operation from an isolated session to the host‘	Compliant	True
18.9.48.6	(NG) Ensure ‚Turn on Microsoft Defender Application Guard in Managed Mode‘ is set to ‚Enabled: 1‘	Compliant	True
18.9.5.1	(L1) Ensure ‚Let Windows apps activate with voice while the system is locked‘ is set to ‚Enabled: Force Deny‘	Compliant	True
18.9.57.1	(L2) Ensure ‚Enable news and interests on the taskbar‘ is set to ‚Disabled‘	Compliant	True
18.9.58.1	(L1) Ensure ‚Prevent the usage of OneDrive for file storage‘ is set to ‚Enabled‘	Registry key not found.	False
18.9.6.1	(L1) Ensure ‚Allow Microsoft accounts to be optional‘ is set to ‚Enabled‘	Compliant	True
18.9.6.2	(L2) Ensure ‚Block launching Universal Windows apps with Windows Runtime API access from hosted content.‘ is set to ‚Enabled‘	Compliant	True
18.9.64.1	(L2) Ensure ‚Turn off Push To Install service‘ is set to ‚Enabled‘	Compliant	True
18.9.65.2.2	(L1) Ensure ‚Do not allow passwords to be saved‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.10.1	(L2) Ensure ‚Set time limit for active but idle Remote Desktop Services sessions‘ is set to ‚Enabled: 15 minutes or less, but not Never (0)‘	Compliant	True
18.9.65.3.10.2	(L2) Ensure ‚Set time limit for disconnected sessions‘ is set to ‚Enabled: 1 minute‘	Compliant	True
18.9.65.3.11.1	(L1) Ensure ‚Do not delete temp folders upon exit‘ is set to ‚Disabled‘	Compliant	True
18.9.65.3.2.1	(L2) Ensure ‚Allow users to connect remotely by using Remote Desktop Services‘ is set to ‚Disabled‘	Compliant	True
18.9.65.3.3.1	(L2) Ensure ‚Allow UI Automation redirection‘ is set to ‚Disabled‘	Compliant	True
18.9.65.3.3.2	(L2) Ensure ‚Do not allow COM port redirection‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.3.3	(L1) Ensure ‚Do not allow drive redirection‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.3.4	(L2) Ensure ‚Do not allow location redirection‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.3.5	(L2) Ensure ‚Do not allow LPT port redirection‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.3.6	(L2) Ensure ‚Do not allow supported Plug and Play device redirection‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.9.1	(L1) Ensure ‚Always prompt for password upon connection‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.9.2	(L1) Ensure ‚Require secure RPC communication‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.9.3	(L1) Ensure ‚Require use of specific security layer for remote (RDP) connections‘ is set to ‚Enabled: SSL‘	Compliant	True
18.9.65.3.9.4	(L1) Ensure ‚Require user authentication for remote connections by using Network Level Authentication‘ is set to ‚Enabled‘	Compliant	True
18.9.65.3.9.5	(L1) Ensure ‚Set client connection encryption level‘ is set to ‚Enabled: High Level‘	Compliant	True
18.9.66.1	(L1) Ensure ‚Prevent downloading of enclosures‘ is set to ‚Enabled‘	Registry key not found.	False
18.9.67.2	(L2) Ensure ‚Allow Cloud Search‘ is set to ‚Enabled: Disable Cloud Search‘	Compliant	True
18.9.67.3	(L1) Ensure ‚Allow Cortana‘ is set to ‚Disabled‘	Compliant	True
18.9.67.4	(L1) Ensure ‚Allow Cortana above lock screen‘ is set to ‚Disabled‘	Compliant	True
18.9.67.5	(L1) Ensure ‚Allow indexing of encrypted files‘ is set to ‚Disabled‘	Compliant	True
18.9.67.6	(L1) Ensure ‚Allow search and Cortana to use location‘ is set to ‚Disabled‘	Compliant	True
18.9.72.1	(L2) Ensure ‚Turn off KMS Client Online AVS Validation‘ is set to ‚Enabled‘	Compliant	True
18.9.75.1	(L2) Ensure ‚Disable all apps from Microsoft Store‘ is set to ‚Disabled‘	Compliant	True
18.9.75.2	(L1) Ensure ‚Only display the private store within the Microsoft Store‘ is set to ‚Enabled‘	Compliant	True
18.9.75.3	(L1) Ensure ‚Turn off Automatic Download and Install of updates‘ is set to ‚Disabled‘	Compliant	True
18.9.75.4	(L1) Ensure ‚Turn off the offer to update to the latest version of Windows‘ is set to ‚Enabled‘	Compliant	True
18.9.75.5	(L2) Ensure ‚Turn off the Store application‘ is set to ‚Enabled‘	Compliant	True
18.9.8.1	(L1) Ensure ‚Disallow Autoplay for non-volume devices‘ is set to ‚Enabled‘	Compliant	True
18.9.8.2	(L1) Ensure ‚Set the default behavior for AutoRun‘ is set to ‚Enabled: Do not execute any autorun commands‘	Compliant	True
18.9.8.3	(L1) Ensure ‚Turn off Autoplay‘ is set to ‚Enabled: All drives‘	Compliant	True
18.9.81.1	(L1) Ensure ‚Allow widgets‘ is set to ‚Disabled‘	Compliant	True
18.9.85.1.1	(L1) Ensure ‚Configure Windows Defender SmartScreen‘ is set to ‚Enabled: Warn and prevent bypass‘	Compliant	True
18.9.85.2.1	(L1) Ensure ‚Configure Windows Defender SmartScreen‘ is set to ‚Enabled‘	Compliant	True
18.9.85.2.2	(L1) Ensure ‚Prevent bypassing Windows Defender SmartScreen prompts for sites‘ is set to ‚Enabled‘	Compliant	True
18.9.87.1	(L1) Ensure ‚Enables or disables Windows Game Recording and Broadcasting‘ is set to ‚Disabled‘	Compliant	True
18.9.89.1	(L2) Ensure ‚Allow suggested apps in Windows Ink Workspace‘ is set to ‚Disabled‘	Compliant	True
18.9.89.2	(L1) Ensure ‚Allow Windows Ink Workspace‘ is set to ‚Enabled: On, but disallow access above lock‘ OR ‚Disabled‘ but not ‚Enabled: On‘	Compliant	True
18.9.90.1	(L1) Ensure ‚Allow user control over installs‘ is set to ‚Disabled‘	Compliant	True
18.9.90.2	(L1) Ensure ‚Always install with elevated privileges‘ is set to ‚Disabled‘	Compliant	True
18.9.90.3	(L2) Ensure ‚Prevent Internet Explorer security prompt for Windows Installer scripts‘ is set to ‚Disabled‘	Compliant	True
18.9.91.1	(L1) Ensure ‚Sign-in and lock last interactive user automatically after a restart‘ is set to ‚Disabled‘	Compliant	True
19.1.3.1	(L1) Ensure ‚Enable screen saver‘ is set to ‚Enabled‘	Registry key not found.	False
19.1.3.2	(L1) Ensure ‚Password protect the screen saver‘ is set to ‚Enabled‘	Registry key not found.	False
19.1.3.3	(L1) Ensure ‚Screen saver timeout‘ is set to ‚Enabled: 900 seconds or fewer, but not 0‘	Registry key not found.	False
19.5.1.1	(L1) Ensure ‚Turn off toast notifications on the lock screen‘ is set to ‚Enabled‘	Registry key not found.	False
19.6.6.1.1	(L2) Ensure ‚Turn off Help Experience Improvement Program‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.28.1	(L1) Ensure ‚Prevent users from sharing files within their profile.‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.4.1	(L1) Ensure ‚Do not preserve zone information in file attachments‘ is set to ‚Disabled‘	Registry key not found.	False
19.7.4.2	(L1) Ensure ‚Notify antivirus programs when opening attachments‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.47.2.1	(L2) Ensure ‚Prevent Codec Download‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.8.1	(L1) Ensure ‚Configure Windows spotlight on lock screen‘ is set to Disabled‘	Registry key not found.	False
19.7.8.2	(L1) Ensure ‚Do not suggest third-party content in Windows spotlight‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.8.3	(L2) Ensure ‚Do not use diagnostic data for tailored experiences‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.8.4	(L2) Ensure ‚Turn off all Windows spotlight features‘ is set to ‚Enabled‘	Registry key not found.	False
19.7.8.5	(L1) Ensure ‚Turn off Spotlight collection on Desktop‘ is set to ‚Enabled‘	Registry key not found.	False
2.3.1.2	(L1) Ensure ‚Accounts: Block Microsoft accounts‘ is set to ‚Users can’t add or log on with Microsoft accounts‘	Compliant	True
2.3.1.4	(L1) Ensure ‚Accounts: Limit local account use of blank passwords to console logon only‘ is set to ‚Enabled‘	Compliant	True
2.3.10.1	(L1) Ensure ‚Network access: Allow anonymous SID/Name translation‘ is set to ‚Disabled‘	Registry value not found.	False
2.3.10.10	(L1) Ensure ‚Network access: Restrict clients allowed to make remote calls to SAM‘ is set to ‚Administrators: Remote Access: Allow‘	Compliant	True
2.3.10.11	(L1) Ensure ‚Network access: Shares that can be accessed anonymously‘ is set to ‚None‘	Compliant	True
2.3.10.12	(L1) Ensure ‚Network access: Sharing and security model for local accounts‘ is set to ‚Classic – local users authenticate as themselves‘	Compliant	True
2.3.10.2	(L1) Ensure ‚Network access: Do not allow anonymous enumeration of SAM accounts‘ is set to ‚Enabled‘	Compliant	True
2.3.10.3	(L1) Ensure ‚Network access: Do not allow anonymous enumeration of SAM accounts and shares‘ is set to ‚Enabled‘	Compliant	True
2.3.10.4	(L1) Ensure ‚Network access: Do not allow storage of passwords and credentials for network authentication‘ is set to ‚Enabled‘	Compliant	True
2.3.10.5	(L1) Ensure ‚Network access: Let Everyone permissions apply to anonymous users‘ is set to ‚Disabled‘	Compliant	True
2.3.10.6	(L1) Ensure ‚Network access: Named Pipes that can be accessed anonymously‘ is set to ‚None‘	Compliant	True
2.3.10.7	(L1) Ensure ‚Network access: Remotely accessible registry paths‘ is configured	Compliant	True
2.3.10.8	(L1) Ensure ‚Network access: Remotely accessible registry paths and sub-paths‘ is configured	Compliant	True
2.3.10.9	(L1) Ensure ‚Network access: Restrict anonymous access to Named Pipes and Shares‘ is set to ‚Enabled‘	Compliant	True
2.3.11.1	(L1) Ensure ‚Network security: Allow Local System to use computer identity for NTLM‘ is set to ‚Enabled‘	Compliant	True
2.3.11.10	(L1) Ensure ‚Network security: Minimum session security for NTLM SSP based (including secure RPC) servers‘ is set to ‚Require NTLMv2 session security, Require 128-bit encryption‘	Compliant	True
2.3.11.2	(L1) Ensure ‚Network security: Allow LocalSystem NULL session fallback‘ is set to ‚Disabled‘	Compliant	True
2.3.11.3	(L1) Ensure ‚Network Security: Allow PKU2U authentication requests to this computer to use online identities‘ is set to ‚Disabled‘	Compliant	True
2.3.11.4	(L1) Ensure ‚Network security: Configure encryption types allowed for Kerberos‘ is set to ‚AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types‘	Compliant	True
2.3.11.5	(L1) Ensure ‚Network security: Do not store LAN Manager hash value on next password change‘ is set to ‚Enabled‘	Compliant	True
2.3.11.7	(L1) Ensure ‚Network security: LAN Manager authentication level‘ is set to ‚Send NTLMv2 response only. Refuse LM&NTLM‘	Compliant	True
2.3.11.8	(L1) Ensure ‚Network security: LDAP client signing requirements‘ is set to ‚Negotiate signing‘ or higher	Compliant	True
2.3.11.9	(L1) Ensure ‚Network security: Minimum session security for NTLM SSP based (including secure RPC) clients‘ is set to ‚Require NTLMv2 session security, Require 128-bit encryption‘	Compliant	True
2.3.14.1	(L2) Ensure ‚System cryptography: Force strong key protection for user keys stored on the computer‘ is set to ‚User is prompted when the key is first used‘ or higher	Compliant	True
2.3.15.1	(L1) Ensure ‚System objects: Require case insensitivity for non-Windows subsystems‘ is set to ‚Enabled‘	Compliant	True
2.3.15.2	(L1) Ensure ‚System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)‘ is set to ‚Enabled‘	Compliant	True
2.3.17.1	(L1) Ensure ‚User Account Control: Admin Approval Mode for the Built-in Administrator account‘ is set to ‚Enabled‘	Compliant	True
2.3.17.2	(L1) Ensure ‚User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode‘ is set to ‚Prompt for consent on the secure desktop‘	Compliant	True
2.3.17.3	(L1) Ensure ‚User Account Control: Behavior of the elevation prompt for standard users‘ is set to ‚Automatically deny elevation requests‘	Registry value is ‚3‘. Expected: 0	False
2.3.17.4	(L1) Ensure ‚User Account Control: Detect application installations and prompt for elevation‘ is set to ‚Enabled‘	Compliant	True
2.3.17.5	(L1) Ensure ‚User Account Control: Only elevate UIAccess applications that are installed in secure locations‘ is set to ‚Enabled‘	Compliant	True
2.3.17.6	(L1) Ensure ‚User Account Control: Run all administrators in Admin Approval Mode‘ is set to ‚Enabled‘	Compliant	True
2.3.17.7	(L1) Ensure ‚User Account Control: Switch to the secure desktop when prompting for elevation‘ is set to ‚Enabled‘	Compliant	True
2.3.17.8	(L1) Ensure ‚User Account Control: Virtualize file and registry write failures to per-user locations‘ is set to ‚Enabled‘	Compliant	True
2.3.2.1	(L1) Ensure ‚Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings‘ is set to ‚Enabled‘	Compliant	True
2.3.2.2	(L1) Ensure ‚Audit: Shut down system immediately if unable to log security audits‘ is set to ‚Disabled‘	Compliant	True
2.3.4.1	(L1) Ensure ‚Devices: Allowed to format and eject removable media‘ is set to ‚Administrators and Interactive Users‘	Compliant	True
2.3.4.2	(L2) Ensure ‚Devices: Prevent users from installing printer drivers‘ is set to ‚Enabled‘	Compliant	True
2.3.6.1	(L1) Ensure ‚Domain member: Digitally encrypt or sign secure channel data (always)‘ is set to ‚Enabled‘	Compliant	True
2.3.6.2	(L1) Ensure ‚Domain member: Digitally encrypt secure channel data (when possible)‘ is set to ‚Enabled‘	Compliant	True
2.3.6.3	(L1) Ensure ‚Domain member: Digitally sign secure channel data (when possible)‘ is set to ‚Enabled‘	Compliant	True
2.3.6.4	(L1) Ensure ‚Domain member: Disable machine account password changes‘ is set to ‚Disabled‘	Compliant	True
2.3.6.5	(L1) Ensure ‚Domain member: Maximum machine account password age‘ is set to ’30 or fewer days, but not 0′	Compliant	True
2.3.6.6	(L1) Ensure ‚Domain member: Require strong (Windows 2000 or later) session key‘ is set to ‚Enabled‘	Compliant	True
2.3.7.1	(L1) Ensure ‚Interactive logon: Do not require CTRL+ALT+DEL‘ is set to ‚Disabled‘	Compliant	True
2.3.7.2	(L1) Ensure ‚Interactive logon: Don’t display last signed-in‘ is set to ‚Enabled‘	Compliant	True
2.3.7.3	(BL) Ensure ‚Interactive logon: Machine account lockout threshold‘ is set to ’10 or fewer invalid logon attempts, but not 0′	Compliant	True
2.3.7.4	(L1) Ensure ‚Interactive logon: Machine inactivity limit‘ is set to ‚900 or fewer second(s), but not 0‘	Compliant	True
2.3.7.5	(L1) Configure ‚Interactive logon: Message text for users attempting to log on‘	Compliant	True
2.3.7.6	(L1) Configure ‚Interactive logon: Message title for users attempting to log on‘	Compliant	True
2.3.7.7	(L2) Ensure ‚Interactive logon: Number of previous logons to cache (in case domain controller is not available)‘ is set to ‚4 or fewer logon(s)‘	Compliant	True
2.3.7.8	(L1) Ensure ‚Interactive logon: Prompt user to change password before expiration‘ is set to ‚between 5 and 14 days‘	Compliant	True
2.3.7.9	(L1) Ensure ‚Interactive logon: Smart card removal behavior‘ is set to ‚Lock Workstation‘ or higher	Compliant	True
2.3.8.1	(L1) Ensure ‚Microsoft network client: Digitally sign communications (always)‘ is set to ‚Enabled‘	Registry value is ‚0‘. Expected: 1	False
2.3.8.2	(L1) Ensure ‚Microsoft network client: Digitally sign communications (if server agrees)‘ is set to ‚Enabled‘	Compliant	True
2.3.8.3	(L1) Ensure ‚Microsoft network client: Send unencrypted password to third-party SMB servers‘ is set to ‚Disabled‘	Compliant	True
2.3.9.1	(L1) Ensure ‚Microsoft network server: Amount of idle time required before suspending session‘ is set to ’15 or fewer minute(s)‘	Compliant	True
2.3.9.2	(L1) Ensure ‚Microsoft network server: Digitally sign communications (always)‘ is set to ‚Enabled‘	Registry value is ‚0‘. Expected: 1	False
2.3.9.3	(L1) Ensure ‚Microsoft network server: Digitally sign communications (if client agrees)‘ is set to ‚Enabled‘	Registry value is ‚0‘. Expected: 1	False
2.3.9.4	(L1) Ensure ‚Microsoft network server: Disconnect clients when logon hours expire‘ is set to ‚Enabled‘	Compliant	True
2.3.9.5	(L1) Ensure ‚Microsoft network server: Server SPN target name validation level‘ is set to ‚Accept if provided by client‘ or higher	Compliant	True
5.1	(L2) Ensure ‚Bluetooth Audio Gateway Service (BTAGService)‘ is set to ‚Disabled‘	Registry value is ‚3‘. Expected: 4	False
5.10	(L1) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.11	(L1) Ensure ‚Microsoft FTP Service (FTPSVC)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.12	(L2) Ensure ‚Microsoft iSCSI Initiator Service (MSiSCSI)‘ is set to ‚Disabled‘	Compliant	True
5.13	(L1) Ensure ‚OpenSSH SSH Server (sshd)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.14	(L2) Ensure ‚Peer Name Resolution Protocol (PNRPsvc)‘ is set to ‚Disabled‘	Compliant	True
5.15	(L2) Ensure ‚Peer Networking Grouping (p2psvc)‘ is set to ‚Disabled‘	Compliant	True
5.16	(L2) Ensure ‚Peer Networking Identity Manager (p2pimsvc)‘ is set to ‚Disabled‘	Compliant	True
5.17	(L2) Ensure ‚PNRP Machine Name Publication Service (PNRPAutoReg)‘ is set to ‚Disabled‘	Compliant	True
5.18	(L2) Ensure ‚Print Spooler (Spooler)‘ is set to ‚Disabled‘ (MS only)	Registry value is ‚2‘. Expected: 4	False
5.19	(L2) Ensure ‚Problem Reports and Solutions Control Panel Support (wercplsupport)‘ is set to ‚Disabled‘	Compliant	True
5.2	(L2) Ensure ‚Bluetooth Support Service (bthserv)‘ is set to ‚Disabled‘	Registry value is ‚3‘. Expected: 4	False
5.20	(L2) Ensure ‚Remote Access Auto Connection Manager (RasAuto)‘ is set to ‚Disabled‘	Compliant	True
5.21	(L2) Ensure ‚Remote Desktop Configuration (SessionEnv)‘ is set to ‚Disabled‘	Compliant	True
5.22	(L2) Ensure ‚Remote Desktop Services (TermService)‘ is set to ‚Disabled‘	Compliant	True
5.23	(L2) Ensure ‚Remote Desktop Services UserMode Port Redirector (UmRdpService)‘ is set to ‚Disabled‘	Compliant	True
5.24	(L1) Ensure ‚Remote Procedure Call (RPC) Locator (RpcLocator)‘ is set to ‚Disabled‘	Compliant	True
5.25	(L2) Ensure ‚Remote Registry (RemoteRegistry)‘ is set to ‚Disabled‘	Compliant	True
5.26	(L1) Ensure ‚Routing and Remote Access (RemoteAccess)‘ is set to ‚Disabled‘	Compliant	True
5.27	(L2) Ensure ‚Server (LanmanServer)‘ is set to ‚Disabled‘	Compliant	True
5.28	(L1) Ensure ‚Simple TCP/IP Services (simptcp)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.29	(L2) Ensure ‚SNMP Service (SNMP)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.3	(L1) Ensure ‚Computer Browser (Browser)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.30	(L1) Ensure ‚Special Administration Console Helper (sacsvr)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.31	(L1) Ensure ‚SSDP Discovery (SSDPSRV)‘ is set to ‚Disabled‘	Compliant	True
5.32	(L1) Ensure ‚UPnP Device Host (upnphost)‘ is set to ‚Disabled‘	Compliant	True
5.33	(L1) Ensure ‚Web Management Service (WMSvc)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.34	(L2) Ensure ‚Windows Error Reporting Service (WerSvc)‘ is set to ‚Disabled‘	Compliant	True
5.35	(L2) Ensure ‚Windows Event Collector (Wecsvc)‘ is set to ‚Disabled‘	Compliant	True
5.36	(L1) Ensure ‚Windows Media Player Network Sharing Service (WMPNetworkSvc)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.37	(L1) Ensure ‚Windows Mobile Hotspot Service (icssvc)‘ is set to ‚Disabled‘	Compliant	True
5.38	(L2) Ensure ‚Windows Push Notifications System Service (WpnService)‘ is set to ‚Disabled‘	Compliant	True
5.39	(L2) Ensure ‚Windows PushToInstall Service (PushToInstall)‘ is set to ‚Disabled‘	Compliant	True
5.4	(L2) Ensure ‚Downloaded Maps Manager (MapsBroker)‘ is set to ‚Disabled‘	Compliant	True
5.40	(L2) Ensure ‚Windows Remote Management (WS-Management) (WinRM)‘ is set to ‚Disabled‘	Registry value is ‚2‘. Expected: 4	False
5.41	(L1) Ensure ‚World Wide Web Publishing Service (W3SVC)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.42	(L1) Ensure ‚Xbox Accessory Management Service (XboxGipSvc)‘ is set to ‚Disabled‘	Compliant	True
5.43	(L1) Ensure ‚Xbox Live Auth Manager (XblAuthManager)‘ is set to ‚Disabled‘	Compliant	True
5.44	(L1) Ensure ‚Xbox Live Game Save (XblGameSave)‘ is set to ‚Disabled‘	Compliant	True
5.45	(L1) Ensure ‚Xbox Live Networking Service (XboxNetApiSvc)‘ is set to ‚Disabled‘	Compliant	True
5.5	(L2) Ensure ‚Geolocation Service (lfsvc)‘ is set to ‚Disabled‘	Compliant	True
5.6	(L1) Ensure ‚IIS Admin Service (IISADMIN)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.7	(L1) Ensure ‚Infrared monitor service (irmon)‘ is set to ‚Disabled‘ or ‚Not Installed‘	Compliant	True
5.8	(L1) Ensure ‚Internet Connection Sharing (ICS) (SharedAccess)‘ is set to ‚Disabled‘	Compliant	True
5.9	(L2) Ensure ‚Link-Layer Topology Discovery Mapper (lltdsvc)‘ is set to ‚Disabled‘	Compliant	True
9.1.1	(L1) Ensure ‚Windows Firewall: Domain: Firewall state‘ is set to ‚On (recommended)‘	Compliant	True
9.1.2	(L1) Ensure ‚Windows Firewall: Domain: Inbound connections‘ is set to ‚Block (default)‘	Compliant	True
9.1.3	(L1) Ensure ‚Windows Firewall: Domain: Outbound connections‘ is set to ‚Allow (default)‘	Compliant	True
9.1.4	(L1) Ensure ‚Windows Firewall: Domain: Settings: Display a notification‘ is set to ‚No‘	Compliant	True
9.1.5	(L1) Ensure ‚Windows Firewall: Domain: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\domainfw.log‘	Compliant	True
9.1.6	(L1) Ensure ‚Windows Firewall: Domain: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘	Compliant	True
9.1.7	(L1) Ensure ‚Windows Firewall: Domain: Logging: Log dropped packets‘ is set to ‚Yes‘	Compliant	True
9.1.8	(L1) Ensure ‚Windows Firewall: Domain: Logging: Log successful connections‘ is set to ‚Yes‘	Compliant	True
9.2.1	(L1) Ensure ‚Windows Firewall: Private: Firewall state‘ is set to ‚On (recommended)‘	Compliant	True
9.2.2	(L1) Ensure ‚Windows Firewall: Private: Inbound connections‘ is set to ‚Block (default)‘	Compliant	True
9.2.3	(L1) Ensure ‚Windows Firewall: Private: Outbound connections‘ is set to ‚Allow (default)‘	Compliant	True
9.2.4	(L1) Ensure ‚Windows Firewall: Private: Settings: Display a notification‘ is set to ‚No‘	Compliant	True
9.2.5	(L1) Ensure ‚Windows Firewall: Private: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\privatefw.log‘	Compliant	True
9.2.6	(L1) Ensure ‚Windows Firewall: Private: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘	Compliant	True
9.2.7	(L1) Ensure ‚Windows Firewall: Private: Logging: Log dropped packets‘ is set to ‚Yes‘	Compliant	True
9.2.8	(L1) Ensure ‚Windows Firewall: Private: Logging: Log successful connections‘ is set to ‚Yes‘	Compliant	True
9.3.1	(L1) Ensure ‚Windows Firewall: Public: Firewall state‘ is set to ‚On (recommended)‘	Compliant	True
9.3.10	(L1) Ensure ‚Windows Firewall: Public: Logging: Log successful connections‘ is set to ‚Yes‘	Compliant	True
9.3.2	(L1) Ensure ‚Windows Firewall: Public: Inbound connections‘ is set to ‚Block (default)‘	Compliant	True
9.3.3	(L1) Ensure ‚Windows Firewall: Public: Outbound connections‘ is set to ‚Allow (default)‘	Compliant	True
9.3.4	(L1) Ensure ‚Windows Firewall: Public: Settings: Display a notification‘ is set to ‚No‘	Compliant	True
9.3.5	(L1) Ensure ‚Windows Firewall: Public: Settings: Apply local firewall rules‘ is set to ‚No‘	Compliant	True
9.3.6	(L1) Ensure ‚Windows Firewall: Public: Settings: Apply local connection security rules‘ is set to ‚No‘	Compliant	True
9.3.7	(L1) Ensure ‚Windows Firewall: Public: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\publicfw.log‘	Compliant	True
9.3.8	(L1) Ensure ‚Windows Firewall: Public: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘	Compliant	True
9.3.9	(L1) Ensure ‚Windows Firewall: Public: Logging: Log dropped packets‘ is set to ‚Yes‘	Compliant	True

User Rights Assignment–↑

Id	Task	Message	Status
2.2.1	(L1) Ensure ‚Access Credential Manager as a trusted caller‘ is set to ‚No One‘	Compliant	True
2.2.10	(L1) Ensure ‚Create a pagefile‘ is set to ‚Administrators‘	Compliant	True
2.2.11	(L1) Ensure ‚Create a token object‘ is set to ‚No One‘	Compliant	True
2.2.12	(L1) Ensure ‚Create global objects‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE‘	Compliant	True
2.2.13	(L1) Ensure ‚Create permanent shared objects‘ is set to ‚No One‘	Compliant	True
2.2.14.1	(L1) Configure ‚Create symbolic links‘	The user ‚SeCreateSymbolicLinkPrivilege‘ setting does not contain the following users: NT VIRTUAL MACHINE\Virtual Machines	False
2.2.14.2	(L1) Configure ‚Create symbolic links‘ (Hyper-V feature not installed)	Compliant	True
2.2.15	(L1) Ensure ‚Debug programs‘ is set to ‚Administrators‘	The user ‚SeDebugPrivilege‘ setting does not contain the following users: BUILTIN\Administrators	False
2.2.16	(L1) Ensure ‚Deny access to this computer from the network‘ to include ‚Guests, Local account‘	Compliant	True
2.2.17	(L1) Ensure ‚Deny log on as a batch job‘ to include ‚Guests‘	Compliant	True
2.2.18	(L1) Ensure ‚Deny log on as a service‘ to include ‚Guests‘	Compliant	True
2.2.19	(L1) Ensure ‚Deny log on locally‘ to include ‚Guests‘	Compliant	True
2.2.2	(L1) Ensure ‚Access this computer from the network‘ is set to ‚Administrators, Remote Desktop Users‘	The user right ‚SeNetworkLogonRight‘ contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user ‚SeNetworkLogonRight‘ setting does not contain the following users: BUILTIN\Remote Desktop Users	False
2.2.20	(L1) Ensure ‚Deny log on through Remote Desktop Services‘ to include ‚Guests, Local account‘	Compliant	True
2.2.21	(L1) Ensure ‚Enable computer and user accounts to be trusted for delegation‘ is set to ‚No One‘	Compliant	True
2.2.22	(L1) Ensure ‚Force shutdown from a remote system‘ is set to ‚Administrators‘	Compliant	True
2.2.23	(L1) Ensure ‚Generate security audits‘ is set to ‚LOCAL SERVICE, NETWORK SERVICE‘	Compliant	True
2.2.24	(L1) Ensure ‚Impersonate a client after authentication‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE‘	Compliant	True
2.2.25	(L1) Ensure ‚Increase scheduling priority‘ is set to ‚Administrators, Window Manager\Window Manager Group‘	Compliant	True
2.2.26	(L1) Ensure ‚Load and unload device drivers‘ is set to ‚Administrators‘	Compliant	True
2.2.27	(L1) Ensure ‚Lock pages in memory‘ is set to ‚No One‘	Compliant	True
2.2.28	(L2) Ensure ‚Log on as a batch job‘ is set to ‚Administrators‘	The user right ‚SeBatchLogonRight‘ contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users	False
2.2.29 A	(L2) Configure ‚Log on as a service‘	The user right ‚SeServiceLogonRight‘ contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines	False
2.2.29 B	(L2) Configure ‚Log on as a service‘ (when the Hyper-V feature is installed)	The user ‚SeTrustedCredManAccessPrivilege‘ setting does not contain the following users: NT VIRTUAL MACHINE\Virtual Machines	False
2.2.3	(L1) Ensure ‚Act as part of the operating system‘ is set to ‚No One‘	Compliant	True
2.2.30	(L1) Ensure ‚Manage auditing and security log‘ is set to ‚Administrators‘	Compliant	True
2.2.31	(L1) Ensure ‚Modify an object label‘ is set to ‚No One‘	Compliant	True
2.2.32	(L1) Ensure ‚Modify firmware environment values‘ is set to ‚Administrators‘	Compliant	True
2.2.33	(L1) Ensure ‚Perform volume maintenance tasks‘ is set to ‚Administrators‘	Compliant	True
2.2.34	(L1) Ensure ‚Profile single process‘ is set to ‚Administrators‘	Compliant	True
2.2.35	(L1) Ensure ‚Profile system performance‘ is set to ‚Administrators, NT SERVICE\WdiServiceHost‘	Compliant	True
2.2.36	(L1) Ensure ‚Replace a process level token‘ is set to ‚LOCAL SERVICE, NETWORK SERVICE‘	Compliant	True
2.2.37	(L1) Ensure ‚Restore files and directories‘ is set to ‚Administrators‘	The user right ‚SeRestorePrivilege‘ contains following unexpected users: BUILTIN\Backup Operators	False
2.2.38	(L1) Ensure ‚Shut down the system‘ is set to ‚Administrators, Users‘	The user right ‚SeShutdownPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators	False
2.2.39	(L1) Ensure ‚Take ownership of files or other objects‘ is set to ‚Administrators‘	Compliant	True
2.2.4	(L1) Ensure ‚Adjust memory quotas for a process‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE‘	Compliant	True
2.2.5	(L1) Ensure ‚Allow log on locally‘ is set to ‚Administrators, Users‘	The user right ‚SeInteractiveLogonRight‘ contains following unexpected users: Hostname1\OldGuest, BUILTIN\Backup Operators	False
2.2.6	(L1) Ensure ‚Allow log on through Remote Desktop Services‘ is set to ‚Administrators, Remote Desktop Users‘	Compliant	True
2.2.7	(L1) Ensure ‚Back up files and directories‘ is set to ‚Administrators‘	The user right ‚SeBackupPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators	False
2.2.8	(L1) Ensure ‚Change the system time‘ is set to ‚Administrators, LOCAL SERVICE‘	Compliant	True
2.2.9	(L1) Ensure ‚Change the time zone‘ is set to ‚Administrators, LOCAL SERVICE, Users‘	Compliant	True

Account Policies–↑

Id	Task	Message	Status
1.1.1	(L1) Ensure ‚Enforce password history‘ is set to ’24 or more password(s)‘	Compliant	True
1.1.2	(L1) Ensure ‚Maximum password age‘ is set to ‚365 or fewer days, but not 0‘	Compliant	True
1.1.3	(L1) Ensure ‚Minimum password age‘ is set to ‚1 or more day(s)‘	Compliant	True
1.1.4	(L1) Ensure ‚Minimum password length‘ is set to ’14 or more character(s)‘	Compliant	True
1.1.5	(L1) Ensure ‚Password must meet complexity requirements‘ is set to ‚Enabled‘	Compliant	True
1.1.7	(L1) Ensure ‚Store passwords using reversible encryption‘ is set to ‚Disabled‘	Compliant	True
1.2.1	(L1) Ensure ‚Account lockout duration‘ is set to ’15 or more minute(s)‘	Compliant	True
1.2.2	(L1) Ensure ‚Account lockout threshold‘ is set to ‚5 or fewer invalid logon attempt(s), but not 0‘	‚LockoutBadCount‘ currently set to: 7. Expected: x <= 5 and x > 0	False
1.2.3	(L1) Ensure ‚Reset account lockout counter after‘ is set to ’15 or more minute(s)‘	Compliant	True

Advanced Audit Policy Configuration–↑

Id	Task	Message	Status
17.1.1	(L1) Ensure ‚Audit Credential Validation‘ is set to ‚Success and Failure‘	Compliant	True
17.2.1	(L1) Ensure ‚Audit Application Group Management‘ is set to ‚Success and Failure‘	Compliant	True
17.2.2	(L1) Ensure ‚Audit Security Group Management‘ is set to include ‚Success‘	Compliant	True
17.2.3	(L1) Ensure ‚Audit User Account Management‘ is set to ‚Success and Failure‘	Compliant	True
17.3.1	(L1) Ensure ‚Audit PNP Activity‘ is set to include ‚Success‘	Compliant	True
17.3.2	(L1) Ensure ‚Audit Process Creation‘ is set to include ‚Success‘	Compliant	True
17.5.1	(L1) Ensure ‚Audit Account Lockout‘ is set to include ‚Failure‘	Compliant	True
17.5.2	(L1) Ensure ‚Audit Group Membership‘ is set to include ‚Success‘	Compliant	True
17.5.3	(L1) Ensure ‚Audit Logoff‘ is set to include ‚Success‘	Compliant	True
17.5.4	(L1) Ensure ‚Audit Logon‘ is set to ‚Success and Failure‘	Compliant	True
17.5.5	(L1) Ensure ‚Audit Other Logon/Logoff Events‘ is set to ‚Success and Failure‘	Compliant	True
17.5.6	(L1) Ensure ‚Audit Special Logon‘ is set to include ‚Success‘	Compliant	True
17.6.1	(L1) Ensure ‚Audit Detailed File Share‘ is set to include ‚Failure‘	Compliant	True
17.6.2	(L1) Ensure ‚Audit File Share‘ is set to ‚Success and Failure‘	Compliant	True
17.6.3	(L1) Ensure ‚Audit Other Object Access Events‘ is set to ‚Success and Failure‘	Compliant	True
17.6.4	(L1) Ensure ‚Audit Removable Storage‘ is set to ‚Success and Failure‘	Compliant	True
17.7.1	(L1) Ensure ‚Audit Audit Policy Change‘ is set to include ‚Success‘	Compliant	True
17.7.2	(L1) Ensure ‚Audit Authentication Policy Change‘ is set to include ‚Success‘	Compliant	True
17.7.3	(L1) Ensure ‚Audit Authorization Policy Change‘ is set to include ‚Success‘	Compliant	True
17.7.4	(L1) Ensure ‚Audit MPSSVC Rule-Level Policy Change‘ is set to ‚Success and Failure‘	Compliant	True
17.7.5	(L1) Ensure ‚Audit Other Policy Change Events‘ is set to include ‚Failure‘	Compliant	True
17.8.1	(L1) Ensure ‚Audit Sensitive Privilege Use‘ is set to ‚Success and Failure‘	Compliant	True
17.9.1	(L1) Ensure ‚Audit IPsec Driver‘ is set to ‚Success and Failure‘	Compliant	True
17.9.2	(L1) Ensure ‚Audit Other System Events‘ is set to ‚Success and Failure‘	Compliant	True
17.9.3	(L1) Ensure ‚Audit Security State Change‘ is set to include ‚Success‘	Compliant	True
17.9.4	(L1) Ensure ‚Audit Security System Extension‘ is set to include ‚Success‘	Compliant	True
17.9.5	(L1) Ensure ‚Audit System Integrity‘ is set to ‚Success and Failure‘	Compliant	True