M365 CIS Benchmark and Microsoft Zero Trust Security Model
Organizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreAlmost all CIS tests for Windows 10 and 11 are automated with SmartProfiler for Windows InTune CIS Assessment.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Checks to make sure all InTune recommended settings by CIS are configured on the Target Windows devices.
Windows 10/11 InTune CIS Assessment supports checking if you have relevant InTune GPO configured in your Microsoft 365 Tenants.
As part of your Windows 10-11 InTune CIS Assessment, validating CIS settings in both the InTune Admin Center and on your devices ensures that security best practices are applied and enforced. It’s important to consistently monitor and audit GPO deployments to ensure compliance, especially as settings evolve in both on-prem AD environments and in the cloud through Intune. Properly identifying the source of GPO settings will also help prevent conflicts and ensure consistent enforcement of security policies across all devices.
The idea as part of Windows InTune GPO Assessment here is to:
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for Windows 10/11 InTune CIS Assessment requires a Service Principal Account with necessary read-only permissions to execute all tests if you need to check InTune GPO Configuration in your Microsoft 365 Tenants.
SmartProfiler makes use of Entra App to ensure all settings are configured correctly in InTune Admin Center.
SmartProfiler utilizes Microsoft PowerShell Modules and Graph API to perform assessment in InTune Admin Center and on target devices.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for Windows 10/11 InTune CIS Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Tenant. It typically takes 1 hour to perform Windows 10/11 InTune CIS Assessment for a Tenant having 30 GPOs.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for Windows 10/11 InTune.
| Category | CIS Version | Setting |
| User Rights Assignment | CIS 3.0.1 | Ensure Access Credential Manager As Trusted Caller is set to No One |
| User Rights Assignment | CIS 3.0.1 | Ensure Access From Network is set to Administrators-Remote Desktop Users |
| User Rights Assignment | CIS 3.0.1 | Ensure Act As Part Of The Operating System is set to No One |
| User Rights Assignment | CIS 3.0.1 | Ensure Allow Local Log On is set to Administrators-Users |
| User Rights Assignment | CIS 3.0.1 | Ensure Backup Files And Directories is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Change System Time is set to Administrators-LOCAL SERVICE |
| User Rights Assignment | CIS 3.0.1 | Ensure Create Global Objects is set to Administrators-LOCAL SERVICE-NETWORK SERVICE-SERVICE |
| User Rights Assignment | CIS 3.0.1 | Ensure Create Page File is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Create Permanent Shared Objects is set to No One |
| User Rights Assignment | CIS 3.0.1 | Configure Create Symbolic Links |
| User Rights Assignment | CIS 3.0.1 | Ensure Create Token is set to No One |
| User Rights Assignment | CIS 3.0.1 | Ensure Debug Programs is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Deny Access From Network to include Guests-Local account |
| User Rights Assignment | CIS 3.0.1 | Ensure Deny Local Log On to include Guests |
| User Rights Assignment | CIS 3.0.1 | Ensure Deny Remote Desktop Services Log On to include Guests-Local account |
| User Rights Assignment | CIS 3.0.1 | Ensure Enable Delegation is set to No One |
| User Rights Assignment | CIS 3.0.1 | Ensure Generate Security Audits is set to LOCAL SERVICE-NETWORK SERVICE |
| User Rights Assignment | CIS 3.0.1 | Ensure Impersonate Client is set to Administrators-LOCAL SERVICE-NETWORK SERVICE-SERVICE |
| User Rights Assignment | CIS 3.0.1 | Ensure Increase Scheduling Priority is set to Administrators-Window Manager\Window Manager Group |
| User Rights Assignment | CIS 3.0.1 | Ensure Load Unload Device Drivers is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Lock Memory is set to No One |
| User Rights Assignment | CIS 3.0.1 | Ensure Manage auditing and security log is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Manage Volume is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Modify Firmware Environment is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Modify Object Label is set to No One |
| User Rights Assignment | CIS 3.0.1 | Ensure Profile Single Process is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Remote Shutdown is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Restore Files And Directories is set to Administrators |
| User Rights Assignment | CIS 3.0.1 | Ensure Take Ownership is set to Administrators |
| Security Options | CIS 3.0.1 | Ensure Accounts-Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts |
| Security Options | CIS 3.0.1 | Ensure Accounts-Enable Guest account status is set to Disabled |
| Security Options | CIS 3.0.1 | Ensure Accounts-Limit local account use of blank passwords to console logon only is set to Enabled |
| Security Options | CIS 3.0.1 | Configure Accounts-Rename administrator account |
| Security Options | CIS 3.0.1 | Configure Accounts-Rename guest account |
| Security Options | CIS 3.0.1 | Ensure Devices-Prevent users from installing printer drivers when connecting to shared printers is set to Enable |
| Security Options | CIS 3.0.1 | Ensure Interactive logon-Do not display last signed-in is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Interactive logon-Do not require CTRL+ALT+DEL is set to Disabled |
| Security Options | CIS 3.0.1 | Ensure Interactive logon-Machine inactivity limit is set to 900 or fewer second(s)-but not 0 |
| Security Options | CIS 3.0.1 | Configure Interactive logon-Message text for users attempting to log on |
| Security Options | CIS 3.0.1 | Configure Interactive logon-Message title for users attempting to log on |
| Security Options | CIS 3.0.1 | Ensure Interactive logon-Smart card removal behavior is set to Lock Workstation or higher |
| Security Options | CIS 3.0.1 | Ensure Microsoft network client-Digitally sign communications (always) is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Microsoft network client-Digitally sign communications (if server agrees) is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Microsoft network client-Send unencrypted password to third-party SMB servers is set to Disabled |
| Security Options | CIS 3.0.1 | Ensure Microsoft network server-Digitally sign communications (always) is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Microsoft network server-Digitally sign communications (if client agrees) is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Network access-Do not allow anonymous enumeration of SAM accounts is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Network access-Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Network access-Restrict anonymous access to Named Pipes and Shares is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Network access-Restrict clients allowed to make remote calls to SAM is set to Administrators-Remote Access-Allow |
| Security Options | CIS 3.0.1 | Ensure Network security-Allow Local System to use computer identity for NTLM is set to Allow |
| Security Options | CIS 3.0.1 | Ensure Network Security-Allow PKU2U authentication requests is set to Block |
| Security Options | CIS 3.0.1 | Ensure Network security-Do not store LAN Manager hash value on next password change is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure Network security-LAN Manager authentication level is set to Send LM and NTLMv2 responses only. Refuse LM and NTLM |
| Security Options | CIS 3.0.1 | Ensure Network security-Minimum session security for NTLM SSP based (including secure RPC) clients is set to Require NTLM and 128-bit encryption |
| Security Options | CIS 3.0.1 | Ensure Network security-Minimum session security for NTLM SSP based (including secure RPC) servers is set to Require NTLM and 128-bit encryption |
| Security Options | CIS 3.0.1 | Ensure Network security-Restrict NTLM-Audit Incoming NTLM Traffic is set to Enable auditing for all accounts |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Behavior of the elevation prompt for administrators is set to Prompt for consent on the secure desktop or higher |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Detect application installations and prompt for elevation is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Only elevate UIAccess applications that are installed in secure locations is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Use Admin Approval Mode is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Switch to the secure desktop when prompting for elevation is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Run all administrators in Admin Approval Mode is set to Enabled |
| Security Options | CIS 3.0.1 | Ensure User Account Control-Virtualize file and registry write failures to per-user locations is set to Enabled |
| Above Lock | CIS 3.0.1 | Ensure Allow Cortana Above Lock is set to Block |
| Personalization | CIS 3.0.1 | Ensure Enable screen saver (User) is set to Enabled |
| Personalization | CIS 3.0.1 | Ensure Prevent enabling lock screen camera is set to Enabled |
| MS Security Guide | CIS 3.0.1 | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled |
| MS Security Guide | CIS 3.0.1 | Ensure Configure SMB v1 client driver is set to Enabled-Disable driver (recommended) |
| MS Security Guide | CIS 3.0.1 | Ensure Configure SMB v1 server is set to Disabled |
| MS Security Guide | CIS 3.0.1 | Ensure Enable Structured Exception Handling Overwrite Protection (SEHOP) is set to Enabled |
| MS Security Guide | CIS 3.0.1 | Ensure WDigest Authentication is set to Disabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(AutoAdminLogon) Enable Automatic Logon (not recommended) is set to Disabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) is set to Enabled-Highest protection-source routing is completely disabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) is set to Enabled-Highest protection-source routing is completely disabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(DisableSavePassword) Prevent the dial- up password from being saved (recommended) is set to Enabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes is set to Disabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(KeepAliveTime) How often keep-alive packets are sent in milliseconds is set to Enabled-300000 or 5 minutes (recommended) |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) is set to Disabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(SafeDllSearchMode) Enable Safe DLL search mode (recommended) is set to Enabled |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) is set to Enabled-5 or fewer seconds |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted is set to Enabled-3 |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted is set to Enabled-3 |
| MSS (Legacy) | CIS 3.0.1 | Ensure MSS-(WarningLevel) Percentage threshold for the security event log at which the system will generate a warning is set to Enabled-90% or less |
| DNS Client | CIS 3.0.1 | Ensure Turn off multicast name resolution is set to Enabled |
| Link-Layer Topology Discovery | CIS 3.0.1 | Ensure Turn on Mapper I/O (LLTDIO) driver is set to Disabled |
| Link-Layer Topology Discovery | CIS 3.0.1 | Ensure Turn on Responder (RSPNDR) driver is set to Disabled |
| Network Connections | CIS 3.0.1 | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled |
| Network Connections | CIS 3.0.1 | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled |
| Network Connections | CIS 3.0.1 | Ensure Require domain users to elevate when setting a networks location is set to Enabled |
| Network Provider | CIS 3.0.1 | Ensure Hardened UNC Paths is set to Enabled-with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares |
| Windows Connect Now | CIS 3.0.1 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled |
| Windows Connect Now | CIS 3.0.1 | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled |
| Windows Connection Manager | CIS 3.0.1 | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled-3 = Prevent Wi-Fi when on Ethernet |
| Windows Connection Manager | CIS 3.0.1 | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled |
| Wireless Display | CIS 3.0.1 | Ensure Require PIN pairing is set to Enabled |
| Printers | CIS 3.0.1 | Ensure Allow Print Spooler to accept client connections is set to Disabled |
| Printers | CIS 3.0.1 | Ensure Point and Print Restrictions-When installing drivers for a new connection is set to Enabled-Show warning and elevation prompt |
| Printers | CIS 3.0.1 | Ensure Point and Print Restrictions-When updating drivers for an existing connection is set to Enabled-Show warning and elevation prompt |
| Notifications | CIS 3.0.1 | Ensure Turn off toast notifications on the lock screen (User) is set to Enabled |
| Audit Process Creation | CIS 3.0.1 | Ensure Include command line in process creation events is set to Enabled |
| Credentials Delegation | Ensure Encryption Oracle Remediation is set to Enabled-Force Updated Clients | |
| Credentials Delegation | CIS 3.0.1 | Ensure Remote host allows delegation of non- exportable credentials is set to Enabled |
| Device Installation Restrictions | CIS 3.0.1 | Ensure Prevent installation of devices that match any of these device IDs is set to Enabled |
| Device Installation Restrictions | CIS 3.0.1 | (BL) Ensure Prevent installation of devices that match any of these device IDs-Also apply to matching devices that are already installed. is set to True (checked) |
| Device Installation Restrictions | CIS 3.0.1 | (BL) Ensure Prevent installation of devices that match any of these device IDs-Prevent installation of devices that match any of these device IDs is set to PCI\CC_0C0A |
| Device Installation Restrictions | CIS 3.0.1 | (BL) Ensure Prevent installation of devices using drivers that match these device setup classes is set to Enabled |
| Device Installation Restrictions | CIS 3.0.1 | (BL) Ensure Prevent installation of devices using drivers that match these device setup classes-Also apply to matching devices that are already installed. is set to True (checked) |
| Device Installation Restrictions | CIS 3.0.1 | (BL) Ensure Prevent installation of devices using drivers that match these device setup classes-Prevent installation of devices using drivers for these device setup is set to IEEE 1394 device setup classes |
| Device Installation Restrictions | CIS 3.0.1 | Ensure Prevent device metadata retrieval from the Internet is set to Enabled |
| Early Launch Antimalware | CIS 3.0.1 | Ensure Boot-Start Driver Initialization Policy is set to Enabled-Good-unknown and bad but critical |
| Group Policy | CIS 3.0.1 | Ensure Configure registry policy processing-Do not apply during periodic background processing is set to Enabled-FALSE |
| Group Policy | CIS 3.0.1 | Ensure Configure registry policy processing-Process even if the Group Policy objects have not changed is set to Enabled-TRUE |
| Group Policy | CIS 3.0.1 | Ensure Configure security policy processing-Do not apply during periodic background processing is set to Enabled-FALSE |
| Group Policy | CIS 3.0.1 | Ensure Configure security policy processing-Process even if the Group Policy objects have not changed is set to Enabled-TRUE |
| Group Policy | CIS 3.0.1 | Ensure Continue experiences on this device is set to Disabled |
| Group Policy | CIS 3.0.1 | Ensure Turn off background refresh of Group Policy is set to Disabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off access to the Store is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off downloading of print drivers over HTTP is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Help Experience Improvement Program (User) is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off printing over HTTP is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Search Companion content file updates is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off the Order Prints picture task is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off the Publish to Web task for files and folders is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled |
| Internet Communication settings | CIS 3.0.1 | Ensure Turn off Windows Error Reporting is set to Enabled |
| Kerberos | CIS 3.0.1 | Ensure Support device authentication using certificate is set to Enabled-Automatic |
| Locale Services | CIS 3.0.1 | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled |
| Logon | CIS 3.0.1 | Ensure Block user from showing account details on sign-in is set to Enabled |
| Logon | CIS 3.0.1 | Ensure Do not display network selection UI is set to Enabled |
| Logon | CIS 3.0.1 | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled |
| Logon | CIS 3.0.1 | Ensure Enumerate local users on domain-joined computers is set to Disabled |
| Logon | CIS 3.0.1 | Ensure Turn off app notifications on the lock screen is set to Enabled |
| Logon | CIS 3.0.1 | Ensure Turn off picture password sign-in is set to Enabled |
| Logon | CIS 3.0.1 | Ensure Turn on convenience PIN sign-in is set to Disabled |
| Sleep Settings | CIS 3.0.1 | Ensure Allow network connectivity during connected-standby (on battery) is set to Disabled |
| Sleep Settings | CIS 3.0.1 | Ensure Allow network connectivity during connected-standby (plugged in) is set to Disabled |
| Sleep Settings | CIS 3.0.1 | BL) Ensure Allow standby states (S1-S3) when sleeping (on battery) is set to Disabled |
| Sleep Settings | CIS 3.0.1 | (BL) Ensure Allow standby states (S1-S3) when sleeping (plugged in) is set to Disabled |
| Sleep Settings | CIS 3.0.1 | Ensure Turn off picture password sign-in is set to Enabled |
| Sleep Settings | CIS 3.0.1 | Ensure Require a password when a computer wakes (plugged in) is set to Enabled |
| Remote Assistance | CIS 3.0.1 | Ensure Configure Offer Remote Assistance is set to Disabled |
| Remote Assistance | CIS 3.0.1 | Ensure Configure Solicited Remote Assistance is set to Disabled |
| Remote Procedure Call | CIS 3.0.1 | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled |
| Remote Procedure Call | CIS 3.0.1 | Ensure Restrict Unauthenticated RPC clients is set to Enabled-Authenticated |
| Microsoft Support Diagnostic Tool | CIS 3.0.1 | Ensure Microsoft Support Diagnostic Tool-Turn on MSDT interactive communication with support provider is set to Disabled |
| Time Providers | CIS 3.0.1 | Ensure Enable Windows NTP Client is set to Enabled |
| Time Providers | CIS 3.0.1 | Ensure Enable Windows NTP Server is set to Disabled |
| App runtime | CIS 3.0.1 | Ensure Allow Microsoft accounts to be optional is set to Enabled |
| App runtime | CIS 3.0.1 | Ensure Block launching Universal Windows apps with Windows Runtime API access from hosted content. is set to Enabled |
| Attachment Manager | CIS 3.0.1 | Ensure Do not preserve zone information in file attachments (User) is set to Disabled |
| Attachment Manager | CIS 3.0.1 | Ensure Notify antivirus programs when opening attachments (User) is set to Enabled |
| AutoPlay Policies | CIS 3.0.1 | Ensure Disallow Autoplay for non-volume devices is set to Enabled |
| AutoPlay Policies | CIS 3.0.1 | Ensure Set the default behavior for AutoRun is set to Enabled-Do not execute any autorun commands |
| AutoPlay Policies | CIS 3.0.1 | Ensure Turn off Autoplay is set to Enabled-All drives |
| Fixed Data Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected fixed drives can be recovered is set to Enabled |
| Fixed Data Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Recovery Key is set to Enabled-Allow 256-bit recovery key |
| Fixed Data Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Recovery Password is set to Enabled-Allow 48-digit recovery password |
| Fixed Data Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Allow data recovery agent is set to Enabled-True |
| Fixed Data Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Configure storage of BitLocker recovery information to AD DS is set to Enabled-Backup recovery passwords and key packages |
| Fixed Data Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives is set to Enabled-False |
| Fixed Data Drives | CIS 3.0.1 | BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Omit recovery options from the BitLocker setup wizard is set to Enabled-True |
| Fixed Data Drives | CIS 3.0.1 | BL) Ensure Choose how BitLocker-protected fixed drives can be recovered-Save BitLocker recovery information to AD DS for fixed data drives is set to Enabled-False |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Allow enhanced PINs for startup is set to Enabled |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected operating system drives can be recovered is set to Enabled |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Recovery Key is set to Enabled-Do not allow 256-bit recovery key |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Recovery Password is set to Enabled-Require 48-digit recovery password |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Allow data recovery agent is set to Enabled-False |
| Operating System Drives | CIS 3.0.1 | BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Configure storage of BitLocker recovery information to AD DS-is set to Enabled-Store recovery passwords and key packages |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Do not enable BitLocker until recovery information is stored to AD DS for operating system drives is set to Enabled-True |
| Operating System Drives | CIS 3.0.1 | BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Omit recovery options from the BitLocker setup wizard is set to Enabled-True |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Choose how BitLocker-protected operating system drives can be recovered-Save BitLocker recovery information to AD DS for operating system drives is set to Enabled-True |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Require additional authentication at startup is set to Enabled |
| Operating System Drives | CIS 3.0.1 | BL) Ensure Require additional authentication at startup-Allow BitLocker without a compatible TPM is set to Enabled-False |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Require additional authentication at startup-Configure TPM startup key and PIN-is set to Enabled-Do not allow startup key and PIN with TPM |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Require additional authentication at startup-Configure TPM startup key-is set to Enabled-Do not allow startup key with TPM |
| Operating System Drives | CIS 3.0.1 | (BL) Ensure Require additional authentication at startup-Configure TPM startup PIN-is set to Enabled-Require startup PIN with TPM |
| Operating System Drives | CIS 3.0.1 | BL) Ensure Require additional authentication at startup-Configure TPM startup-is set to Enabled-Do not allow TPM |
| Removable Data Drives | CIS 3.0.1 | (BL) Ensure Deny write access to removable drives not protected by BitLocker is set to Enabled |
| Removable Data Drives | CIS 3.0.1 | (BL) Ensure Deny write access to removable drives not protected by BitLocker-Do not allow write access to devices configured in another organization is set to Enabled-False |
| Credential User Interface | CIS 3.0.1 | Ensure Do not display the password reveal button is set to Enabled |
| Credential User Interface | CIS 3.0.1 | Ensure Enumerate administrator accounts on elevation is set to Disabled |
| Credential User Interface | CIS 3.0.1 | Ensure Prevent the use of security questions for local accounts is set to Enabled |
| Application | CIS 3.0.1 | Ensure Control Event Log behavior when the log file reaches its maximum size is set to Disabled |
| Application | CIS 3.0.1 | Ensure Specify the maximum log file size (KB) is set to Enabled-32,768 or greater |
| Security | CIS 3.0.1 | Ensure Control Event Log behavior when the log file reaches its maximum size is set to Disabled |
| Security | CIS 3.0.1 | Ensure Specify the maximum log file size (KB) is set to Enabled-196,608 or greater |
| Security | CIS 3.0.1 | Ensure Always prompt for password upon connection is set to Enabled |
| Security | CIS 3.0.1 | Ensure Require secure RPC communication is set to Enabled |
| Security | CIS 3.0.1 | Ensure Require use of specific security layer for remote (RDP) connections is set to Enabled-SSL |
| Security | CIS 3.0.1 | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled |
| Security | CIS 3.0.1 | Ensure Set client connection encryption level is set to Enabled-High Level |
| Setup | CIS 3.0.1 | Ensure Control Event Log behavior when the log file reaches its maximum size is set to Disabled |
| Setup | CIS 3.0.1 | Ensure Specify the maximum log file size (KB) is set to Enabled-32,768 or greater |
| File Explorer | CIS 3.0.1 | Ensure Configure Windows Defender SmartScreen is set to Enabled-Warn and prevent bypass |
| File Explorer | CIS 3.0.1 | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled |
| File Explorer | CIS 3.0.1 | Ensure Turn off heap termination on corruption is set to Disabled |
| File Explorer | CIS 3.0.1 | Ensure Turn off shell protocol protected mode is set to Disabled |
| Home Group | CIS 3.0.1 | Ensure Prevent the computer from joining a homegroup is set to Enabled |
| Internet Explorer | CIS 3.0.1 | Ensure Disable Internet Explorer 11 as a standalone browser is set to Enabled-Always |
| Microsoft Account | CIS 3.0.1 | Ensure Block all consumer Microsoft account user authentication is set to Enabled |
| MAPS | CIS 3.0.1 | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled |
| MAPS | CIS 3.0.1 | Ensure Join Microsoft MAPS is set to Disabled |
| Reporting | CIS 3.0.1 | Ensure Configure Watson events is set to Disabled |
| Reporting | CIS 3.0.1 | Ensure Turn off Microsoft Defender Antivirus is set to Disabled |
| Network Sharing | CIS 3.0.1 | Ensure Prevent users from sharing files within their profile. (User) is set to Enabled |
| Push To Install | CIS 3.0.1 | Ensure Turn off Push To Install service is set to Enabled |
| RemoteFX USB Device Redirection | CIS 3.0.1 | Ensure Do not allow passwords to be saved is set to Enabled |
| Connections | CIS 3.0.1 | Ensure Allow users to connect remotely by using Remote Desktop Services is set to Disabled |
| Device and Resource Redirection | CIS 3.0.1 | Ensure Do not allow COM port redirection is set to Enabled |
| Device and Resource Redirection | CIS 3.0.1 | Ensure Do not allow drive redirection is set to Enabled |
| Device and Resource Redirection | CIS 3.0.1 | Ensure Do not allow LPT port redirection is set to Enabled |
| Device and Resource Redirection | CIS 3.0.1 | Ensure Do not allow supported Plug and Play device redirection is set to Enabled |
| Session Time Limits | CIS 3.0.1 | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled-15 minutes or less-but not Never (0) |
| Session Time Limits | CIS 3.0.1 | Ensure Set time limit for disconnected sessions is set to Enabled-1 minute |
| Temporary folders | CIS 3.0.1 | Ensure Do not delete temp folders upon exit is set to Disabled |
| RSS Feeds | CIS 3.0.1 | Ensure Prevent downloading of enclosures is set to Enabled |
| Store | CIS 3.0.1 | Ensure Turn off the offer to update to the latest version of Windows is set to Enabled |
| Store | CIS 3.0.1 | Ensure Turn off the Store application is set to Enabled |
| Windows Installer | CIS 3.0.1 | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled |
| Windows Logon Options | CIS 3.0.1 | Ensure Sign-in and lock last interactive user automatically after a restart is set to Disabled (Automated |
| Playback | CIS 3.0.1 | Ensure Prevent Codec Download (User) is set to Enabled |
| Windows PowerShell | CIS 3.0.1 | Ensure Turn on PowerShell Script Block Logging is set to Enabled |
| Windows PowerShell | CIS 3.0.1 | Ensure Turn on PowerShell Transcription is set to Enabled |
| WinRM Client | CIS 3.0.1 | Ensure Allow Basic authentication is set to Disabled |
| WinRM Client | CIS 3.0.1 | Ensure Allow unencrypted traffic is set to Disabled |
| WinRM Client | CIS 3.0.1 | Ensure Disallow Digest authentication is set to Enabled |
| WinRM Service | CIS 3.0.1 | Ensure Allow Basic authentication is set to Disabled |
| WinRM Service | CIS 3.0.1 | Ensure Allow remote server management through WinRM is set to Disabled |
| WinRM Service | CIS 3.0.1 | Ensure Allow unencrypted traffic is set to Disabled |
| WinRM Service | CIS 3.0.1 | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled |
| Windows Remote Shell | CIS 3.0.1 | Ensure Allow Remote Shell Access is set to Disabled |
| Auditing | CIS 3.0.1 | Ensure Account Logon Audit Credential Validation is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Account Logon Logoff Audit Account Lockout is set to include Failure |
| Auditing | CIS 3.0.1 | Ensure Account Logon Logoff Audit Group Membership is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Account Logon Logoff Audit Logoff is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Account Logon Logoff Audit Logon is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Account Management Audit Application Group Management is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Audit Authentication Policy Change is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Audit Authorization Policy Change is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Audit Changes to Audit Policy is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Audit File Share Access is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Audit Other Logon Logoff Events is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Audit Security Group Management is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Audit Security System Extension is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Audit Special Logon is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Audit User Account Management is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Detailed Tracking Audit PNP Activity is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Detailed Tracking Audit Process Creation is set to include Success |
| Auditing | CIS 3.0.1 | Ensure Object Access Audit Detailed File Share is set to include Failure |
| Auditing | CIS 3.0.1 | Ensure Object Access Audit Other Object Access Events is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Object Access Audit Removable Storage is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Policy Change Audit MPSSVC Rule Level Policy Change is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure Policy Change Audit Other Policy Change Events is set to include Failure |
| Auditing | CIS 3.0.1 | Ensure Privilege Use Audit Sensitive Privilege Use is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure System Audit I Psec Driver is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure System Audit Other System Events is set to Success and Failure |
| Auditing | CIS 3.0.1 | Ensure System Audit Security State Change is set to include Success |
| Auditing | CIS 3.0.1 | Ensure System Audit System Integrity is set to Success and Failure |
| Camera | CIS 3.0.1 | Ensure Allow Camera is set to Not allowed |
| Defender | CIS 3.0.1 | Ensure Allow Behavior Monitoring is set to Allowed |
| Defender | CIS 3.0.1 | Ensure Allow Email Scanning is set to Allowed |
| Defender | CIS 3.0.1 | Ensure Allow Full Scan Removable Drive Scanning is set to Allowed |
| Defender | CIS 3.0.1 | Ensure Allow Realtime Monitoring is set to Allowed |
| Defender | CIS 3.0.1 | Ensure Allow scanning of all downloaded files and attachments is set to Allowed |
| Defender | CIS 3.0.1 | Ensure Allow Script Scanning is set to Allowed |
| Defender | CIS 3.0.1 | Ensure Attack Surface Reduction rules are configured |
| Defender | CIS 3.0.1 | Ensure Enable File Hash Computation is set to Enable |
| Defender | CIS 3.0.1 | Ensure Enable Network Protection is set to Enabled (block mode) |
| Defender | CIS 3.0.1 | Ensure PUA Protection is set to PUA Protection on |
| Delivery Optimization | CIS 3.0.1 | Ensure DO Download Mode is NOT set to HTTP blended with Internet Peering |
| Device Guard | CIS 3.0.1 | (NG) Ensure Enable Virtualization Based Security is set to Enable virtualization based security |
| Device Guard | CIS 3.0.1 | (NG) Ensure Require Platform Security Features is set to Turns on VBS with Secure Boot or higher |
| Device Guard | CIS 3.0.1 | (NG) Ensure Credential Guard is set to Enabled with UEFI lock |
| Device Guard | CIS 3.0.1 | (NG) Ensure Configure System Guard Launch is set to Unmanaged Enables Secure Launch if supported by hardware |
| Device Lock | CIS 3.0.1 | Ensure Alphanumeric Device Password Required is set to Password-Numeric PIN-or Alphanumeric PIN required |
| Device Lock | CIS 3.0.1 | Ensure Device Password Expiration is set to 365 or fewer days-but not 0 |
| Device Lock | CIS 3.0.1 | Ensure Device Password History is set to 24 or more password(s) |
| Device Lock | CIS 3.0.1 | Ensure Min Device Password Complex Characters is set to Digits lowercase letters and uppercase letters are required |
| Device Lock | CIS 3.0.1 | Ensure Min Device Password Length is set to 14 or more character(s) |
| Device Lock | CIS 3.0.1 | Ensure Minimum Password Age is set to 1 or more day(s) |
| Experience | CIS 3.0.1 | Ensure Allow Cortana is set to Block |
| Experience | CIS 3.0.1 | Ensure Allow Windows Spotlight (User) is set to Block |
| Experience | CIS 3.0.1 | Ensure Do not show feedback notifications is set to Feedback notifications are disabled |
| Experience | CIS 3.0.1 | Ensure Disable Consumer Account State Content is set to Enabled |
| Experience | CIS 3.0.1 | Ensure Allow Spotlight Collection (User) is set to 0 |
| Feeds | CIS 3.0.1 | Ensure Enable news and interests is set to Not Allowed |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall is set to True |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall-Default Inbound Action for Domain Profile is set to Block |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall-Disable Inbound Notifications is set to True |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall-Enable Log Dropped Packets is set to Yes-Enable Logging Of Dropped Packets |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall-Enable Log Success Connections is set to Enable Logging Of Successful Connections |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall-Log File Path is set to %SystemRoot%\System32\logfiles\firewall\domainfw.log |
| Firewall | CIS 3.0.1 | Ensure Enable Domain Network Firewall-Log Max File Size is set to 16,384 KB or greater |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall is set to True |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall-Default Inbound Action for Private Profile is set to Block |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall-Disable Inbound Notifications is set to True |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall-Enable Log Success Connections is set to Enable Logging Of Successful Connections |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall-Enable Log Dropped Packets is set to Yes-Enable Logging Of Dropped Packets |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall-Log File Path is set to %SystemRoot%\System32\logfiles\firewall\privatefw.log |
| Firewall | CIS 3.0.1 | Ensure Enable Private Network Firewall-Log Max File Size is set to 16,384 KB or greater |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall is set to True |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Allow Local Ipsec Policy Merge is set to False |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Allow Local Policy Merge is set to False |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Default Inbound Action for Public Profile is set to Block |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Disable Inbound Notifications is set to True |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Enable Log Dropped Packets is set to Yes-Enable Logging Of Dropped Packets |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Enable Log Success Connections is set to Enable Logging Of Successful Connections (Automated |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Log File Path is set to %SystemRoot%\System32\logfiles\firewall\publicfw.log |
| Firewall | CIS 3.0.1 | Ensure Enable Public Network Firewall-Log Max File Size is set to 16,384 KB or greater |
| Lanman Workstation | CIS 3.0.1 | Ensure Enable insecure guest logons is set to Disabled |
| Licensing | CIS 3.0.1 | Ensure Disallow KMS Client Online AVS Validation is set to Allow |
| Microsoft App Store | CIS 3.0.1 | Ensure Allow apps from the Microsoft app store to auto update is set to Allowed |
| Microsoft App Store | CIS 3.0.1 | Ensure Allow Game DVR is set to Block |
| Microsoft App Store | CIS 3.0.1 | Ensure Disable Store Originated Apps is set to Enabled |
| Microsoft App Store | CIS 3.0.1 | Ensure MSI Allow user control over installs is set to Disabled |
| Microsoft App Store | CIS 3.0.1 | Ensure MSI Always install with elevated privileges is set to Disabled |
| Microsoft App Store | CIS 3.0.1 | Ensure MSI Always install with elevated privileges (User) is set to Disabled |
| Microsoft App Store | CIS 3.0.1 | Ensure Require Private Store Only is set to Only Private store is enabled |
| Privacy | CIS 3.0.1 | Ensure Allow Cross Device Clipboard is set to Block |
| Privacy | CIS 3.0.1 | Ensure Allow Input Personalization is set to Block |
| Privacy | CIS 3.0.1 | Ensure Disable Advertising ID is set to Enabled |
| Privacy | CIS 3.0.1 | Ensure Let Apps Activate With Voice Above Lock is set to Enabled-Force Deny |
| Privacy | CIS 3.0.1 | Ensure Upload User Activities is set to Disabled |
| Search | CIS 3.0.1 | Ensure Allow Cloud Search is set to Not allowed |
| Search | CIS 3.0.1 | Ensure Allow Indexing Encrypted Stores Or Items is set to Block |
| Search | CIS 3.0.1 | Ensure Allow Search To Use Location is set to Block |
| Search | CIS 3.0.1 | Ensure Allow search highlights is set to 0 |
| Settings | CIS 3.0.1 | Ensure Allow Online Tips is set to Block |
| Enhanced Phishing Protection | CIS 3.0.1 | Ensure Notify Malicious is set to Enabled |
| Enhanced Phishing Protection | CIS 3.0.1 | Ensure Notify Password Reuse is set to Enabled |
| Enhanced Phishing Protection | CIS 3.0.1 | Ensure Notify Unsafe App is set to Enabled |
| Enhanced Phishing Protection | CIS 3.0.1 | Ensure Service Enabled is set to Enabled |
| System | CIS 3.0.1 | Ensure Allow Telemetry is set to Basic |
| System | CIS 3.0.1 | Ensure Allow Font Providers is set to Not allowed |
| System | CIS 3.0.1 | Ensure Disable One Drive File Sync is set to Sync Disabled |
| System | CIS 3.0.1 | Ensure Enable OneSettings Auditing is set to Enabled |
| System | CIS 3.0.1 | Ensure Limit Diagnostic Log Collection is set to Enabled |
| System | CIS 3.0.1 | Ensure Limit Dump Collection is set to Enabled |
| System | CIS 3.0.1 | Ensure Control Event Log behavior when the log file reaches its maximum size is set to Disabled |
| System | CIS 3.0.1 | Ensure Specify the maximum log file size (KB) is set to Enabled-32,768 or greater |
| System Services | CIS 3.0.1 | Ensure Bluetooth Audio Gateway Service (BTAGService) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Bluetooth Support Service (bthserv) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Computer Browser (Browser) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Downloaded Maps Manager (MapsBroker) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Geolocation Service (lfsvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure IIS Admin Service (IISADMIN) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Infrared monitor service (irmon) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Internet Connection Sharing (ICS) (SharedAccess) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Link-Layer Topology Discovery Mapper (lltdsvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure LxssManager (LxssManager) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Microsoft FTP Service (FTPSVC) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Microsoft iSCSI Initiator Service (MSiSCSI) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure OpenSSH SSH Server (sshd) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Peer Name Resolution Protocol (PNRPsvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Peer Networking Grouping (p2psvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Peer Networking Identity Manager (p2pimsvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure PNRP Machine Name Publication Service (PNRPAutoReg) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Print Spooler (Spooler) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Problem Reports and Solutions Control Panel Support (wercplsupport) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Remote Access Auto Connection Manager (RasAuto) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Remote Desktop Configuration (SessionEnv) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Remote Desktop Services (TermService) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Remote Desktop Services UserMode Port Redirector (UmRdpService) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Remote Procedure Call (RPC) Locator (RpcLocator) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Remote Registry (RemoteRegistry) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Routing and Remote Access (RemoteAccess) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Server (LanmanServer) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Simple TCP/IP Services (simptcp) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure SNMP Service (SNMP) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Special Administration Console Helper (sacsvr) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure SSDP Discovery (SSDPSRV) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure UPnP Device Host (upnphost) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Web Management Service (WMSvc) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Windows Error Reporting Service (WerSvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Windows Event Collector (Wecsvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Windows Media Player Network Sharing Service (WMPNetworkSvc) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Windows Mobile Hotspot Service (icssvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Windows Push Notifications System Service (WpnService) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Windows PushToInstall Service (PushToInstall) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Windows Remote Management (WS- Management) (WinRM) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure World Wide Web Publishing Service (W3SVC) is set to Disabled or Not Installed |
| System Services | CIS 3.0.1 | Ensure Xbox Accessory Management Service (XboxGipSvc) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Xbox Live Auth Manager (XblAuthManager) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Xbox Live Game Save (XblGameSave) is set to Disabled |
| System Services | CIS 3.0.1 | Ensure Xbox Live Networking Service (XboxNetApiSvc) is set to Disabled |
| Virtualization Based Technology | CIS 3.0.1 | Ensure Hypervisor Enforced Code Integrity is set to Enabled with UEFI lock |
| Virtualization Based Technology | CIS 3.0.1 | Ensure Require UEFI Memory Attributes Table is set to Require UEFI Memory Attributes Table |
| Widgets | Ensure Allow widgets is set to Not allowed | |
| Windows Defender Security Center | CIS 3.0.1 | Ensure Disallow Exploit Protection Override is set to (Enable) |
| Windows Hello For Business | CIS 3.0.1 | Ensure Facial Features Use Enhanced Anti Spoofing is set to true |
| Windows Hello For Business | CIS 3.0.1 | Ensure Minimum PIN Length is set to 6 more character(s) |
| Windows Hello For Business | CIS 3.0.1 | Ensure Require Security Device is set to true |
| Windows Ink Workspace | CIS 3.0.1 | Ensure Allow suggested apps in Windows Ink Workspace is set to Block |
| Windows Ink Workspace | CIS 3.0.1 | Ensure Allow Windows Ink Workspace is set to Enabled-but the user cant access it above the lock screen OR Disabled |
| Windows Update For Business | CIS 3.0.1 | Ensure Allow Auto Update is set to Enabled |
| Windows Update For Business | CIS 3.0.1 | Ensure Defer Feature Updates Period in Days is set to Enabled-180 or more days |
| Windows Update For Business | CIS 3.0.1 | Ensure Defer Quality Updates Period (Days) is set to Enabled-0 days |
| Windows Update For Business | CIS 3.0.1 | Ensure Manage preview builds is set to Disable Preview builds |
| Windows Update For Business | CIS 3.0.1 | Ensure Scheduled Install Day is set to Every day |
| Windows Update For Business | CIS 3.0.1 | Ensure Block Pause Updates ability is set to Block |
| Windows LAPS | CIS 3.0.1 | Ensure Backup Directory is set to Backup the password to Azure AD only |
| Windows LAPS | CIS 3.0.1 | Ensure Password Age Days is set to Configured-30 or fewer |
| Windows LAPS | CIS 3.0.1 | Ensure Password Complexity is set to Large letters + small letters + numbers + special characters |
| Windows LAPS | CIS 3.0.1 | Ensure Password Length is set to Configured-15 or more |
| Windows LAPS | CIS 3.0.1 | Ensure Post-authentication actions is set to Reset the password and logoff the managed account or higher |
| Windows LAPS | CIS 3.0.1 | Ensure Post Authentication Reset Delay is set to Configured-8 or fewer hours-but not 0 |
Below tests, as recommended by Microsoft Azure globally, are not included in the Azure CIS Version 2.1.0 tests list. We recommend executing below tests as part of Microsoft Azure security & Compliance Assessment.
| Azure-Infra | SP v1.0 | Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID |
| Azure-Infra | SP v1.0 | Ensure Azure Administrative Units are used |
| Azure-Infra | SP v1.0 | Ensure Azure Guests cannot invite other Guests |
| Azure-Infra | SP v1.0 | Ensure privileged accounts have MFA Configured |
| Azure-Infra | SP v1.0 | Ensure non-Admins cannot register custom applications |
| Azure-Infra | SP v1.0 | Ensure no Guest Accounts in Azure Privileged groups |
| Azure-Infra | SP v1.0 | Ensure Security Defaults is enabled |
| Azure-Infra | SP v1.0 | Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent |
| Azure-Infra | SP v1.0 | Ensure Conditional Access Policy with signin user-risk location as Factor |
| Azure-Infra | SP v1.0 | Ensure no Guest accounts that are inactive for more than 45 days |
| Azure-Infra | SP v1.0 | Conditional Access policy with Continuous Access Evaluation disabled |
| Azure-Infra | SP v1.0 | AAD Connect sync account password reset |
| Azure-Infra | SP v1.0 | Ensure Guest users are restricted |
| Azure-Infra | SP v1.0 | Ensure user are configured with MFA |
| Azure-Infra | SP v1.0 | Conditional Access Policy that disables admin token persistence |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require a password change from high risk users |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require MFA when sign-in risk has been identified |
| Azure-Infra | SP v1.0 | Ensure Guest invites not accepted in last 30 days are identified |
| Azure-Infra | SP v1.0 | Ensure Synced AAD Users not privileged Users in Azure |
| Azure-Infra | SP v1.0 | Ensure No Private IP Addresses in Conditional Access policies |
| Azure-Infra | SP v1.0 | Ensure Number Matching enabled in MFA |
| Azure-Infra | SP v1.0 | Ensure AD privileged users are not synced to AAD |
| Azure-Infra | SP v1.0 | Ensure no more than 5 Global Administrators |
| Azure-Infra | SP v1.0 | Ensure SSO computer account with latest password |
| Azure-Infra | SP v1.0 | Ensure RBCD is not applied to AZUREADSSOACC account |
| Azure Entra ID | SP v1.0 | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
| Azure Entra ID | SP v1.0 | Ensure Phishing-resistant MFA strength is required for Administrators |
| Azure Entra ID | SP v1.0 | Ensure custom banned passwords lists are used |
| Azure Entra ID | SP v1.0 | Ensure Restrict non-admin users from creating tenants is set to Yes |
| Azure Entra ID | SP v1.0 | Ensure a dynamic group for guest users is created |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
| Azure Entra ID | SP v1.0 | Ensure that password hash sync is enabled for hybrid deployments |
| Azure Entra ID | SP v1.0 | Ensure Privileged Identity Management is used to manage roles |
| Azure Entra ID | SP v1.0 | Ensure Security Defaults is disabled on Azure Active Directory |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection user risk policies |
| Azure Entra ID | SP v1.0 | Ensure the admin consent workflow is enabled |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Azure Management is limited to administrative roles |
| Azure Entra ID | SP v1.0 | Ensure LinkedIn account connections is disabled |
| Azure Entra ID | SP v1.0 | Ensure password protection is enabled for on-prem Active Directory |
| Azure Entra ID | SP v1.0 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
| Azure Entra ID | SP v1.0 | Ensure third party integrated applications are not allowed |
| Azure Entra ID | SP v1.0 | Ensure user consent to apps accessing company data on their behalf is not allowed |
| Azure Entra ID | SP v1.0 | Enable Conditional Access policies to block legacy authentication |
| Azure Entra ID | SP v1.0 | Ensure Self service password reset enabled is set to All |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection sign-in risk policies |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users in administrative roles |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users |
| Database Services-SQL Server – MySQL Database | SP v1.0 | Ensure to Enable In-Transit Encryption for MySQL Servers |
| Virtual Machines | SP v1.0 | Approved Azure Machine Image in Use |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Non-Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Ensure Associated Load Balancers are configured |
| Virtual Machines | SP v1.0 | Ensure Desired VM SKU Size are configured |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Scale Sets are not empty |
| Virtual Machines | SP v1.0 | Ensure Virtual Machines are configured with SSH Authentication Type |
| Virtual Machines | SP v1.0 | Ensure Sufficient Daily Backup Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Sufficient Instant Restore Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure No Unused Load Balancers are identified to reduce cost |
| Virtual Machines | SP v1.0 | Ensure No Zone-Redundant Virtual Machine Scale Sets are present |
| Virtual Machines | SP v1.0 | Ensure Premium SSD are disabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Accelerated Networking for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Auto-Shutdown of Virtual Machine is enabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Automatic Instance Repairs is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Automatic OS Upgrades is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Autoscale Notifications are configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Backups for Azure Virtual Machines are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for App-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for Web-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Guest-Level Diagnostics for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Instance Termination Notifications for Virtual Machine Scale Sets is configured |
| Virtual Machines | SP v1.0 | Ensure Just-In-Time Access for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Performance Diagnostics for Azure Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure System-Assigned Managed Identities are enabled |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Boot Diagnostics is enabled |
| Virtual Machines | SP v1.0 | Ensure Health Monitoring is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Old Virtual Machine Disk Snapshots are removed |
| Virtual Machines | SP v1.0 | Ensure Unattached Virtual Machine Disk Volumes are removed from Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure BYOK for Disk Volumes Encryption is used |
| Virtual Machines | SP v1.0 | Enable Virtual Machine Access using Microsoft Entra ID Authentication |
| Azure Subscription | SP v1.0 | Ensure Basic and Consumption SKU Should are not Used in Production |
| Azure Subscription | SP v1.0 | Ensure Azure Cloud Budget Alerts are configured |
| Azure Subscription | SP v1.0 | Ensure more than one Subscription Owners are assigned |
| Azure Subscription | SP v1.0 | Ensure Not Allowed Resource Types Policy Assignment is in Use |
| Azure Subscription | SP v1.0 | Ensure Tags are configured on the Resources |
| Azure Subscription | SP v1.0 | Ensure to remove Custom Owner Roles from Subscriptions |
| Azure Subscription | SP v1.0 | Ensure Resource Locking Administrator Role is configured |
| Azure Subscription | SP v1.0 | Ensure no Subscription Administrator Custom Role are not configured |
Instead of manually gathering data, which could take a significant amount of time, SmartProfiler for Windows 10/11 InTune CIS Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
Organizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreAD Smart Queries ship as part of the Active Directory Assessment License. The AD Smart
Read MoreBefore you can start performing Active Directory security assessment you are required to perform an
Read More