Skip to content

Windows 11 Enterprise CIS 4.0 #29191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
May 22, 2025
Merged

Windows 11 Enterprise CIS 4.0 #29191

merged 19 commits into from
May 22, 2025

Conversation

dantecatalfamo
Copy link
Member

@dantecatalfamo dantecatalfamo commented May 15, 2025
edited
Loading

#27396

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.
  • Manual QA for all new/changed functionality

Results

First Column:

  • + = Added
  • D = Duplicate
  • X = Updated/Removed
  • ? = Unclear/un-actionable

Tested Column:

  • Yes = Works as described
  • NF = Could not find GP setting, but registry key exists and editing it makes the policy pass
  • NA = Not available. Could not find GP setting, registry setting doesn't exist
Tested Type Comment
+ NF ADD 5 (L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'
+ Yes ADD 18.10.58 (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'
+ Yes ADD 2.3.11 (L1) Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher
+ Yes ADD 18.6.4 (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'
+ Yes ADD 18.6.4 (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'
+ Yes ADD 18.6.7 (L1) Ensure 'Audit client does not support encryption' is set to 'Enabled'
+ Yes ADD 18.6.7 (L1) Ensure 'Audit client does not support signing' is set to 'Enabled'
+ Yes ADD 18.6.7 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'
+ Yes ADD 18.6.7 (L1) Ensure 'Enable authentication rate limiter' is set to 'Enabled'
+ Yes ADD 18.6.7 (L1) Ensure 'Enable remote mailslots' is set to 'Disabled'
+ Yes ADD 18.6.7 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'
+ Yes ADD 18.6.7 (L1) Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more
+ Yes ADD 18.6.8 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'
+ Yes ADD 18.6.8 (L1) Ensure 'Audit server does not support encryption' is set to 'Enabled'
+ Yes ADD 18.6.8 (L1) Ensure 'Audit server does not support signing' is set to 'Enabled'
D -- ADD 18.6.8 (L1) Ensure 'Enable remote mailslots' is set to 'Disabled'
D -- ADD 18.6.8 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'
+ Yes ADD 18.7 (L2) Ensure 'Configure Windows protected print' is set to 'Enabled'
+ Yes ADD 18.9 (L1) Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled'
+ Yes ADD 18.9.30.1 (L1) Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'
+ Yes ADD 18.9.39 (L1) Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods'
+ Yes ADD 18.10.3 (L2) Ensure 'Turn off API Sampling' is set to 'Enabled'
+ Yes ADD 18.10.3 (L2) Ensure 'Turn off Application Footprint' is set to 'Enabled'
+ Yes ADD 18.10.3 (L2) Ensure 'Turn off Install Tracing' is set to 'Enabled'
+ Yes ADD 18.10.4 (L1) Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'
+ Yes ADD 18.10.18 (L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'
+ Yes ADD 18.10.18 (L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'
+ Yes ADD 18.10.18 (L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled'
+ Yes ADD 18.10.29 (L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'
+ Yes ADD 18.10.43 (L1) Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'
+ Yes ADD 18.10.43.4 (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'
+ Yes ADD 18.10.43.8 (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'
+ Yes ADD 18.10.43.10 (L1) Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'
+ Yes ADD 18.10.43.11.1.1 (L2) Ensure 'Configure Brute-Force Protection aggressiveness' is set to 'Enabled: Medium' or higher
+ Yes ADD 18.10.43.11.1.1 (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher
+ Yes ADD 18.10.43.11.1.2 (L2) Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 'Enabled: Medium' or higher
+ Yes ADD 18.10.43.13 (L1) Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'
+ Yes ADD 18.10.43.13 (L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'
+ Yes ADD 18.10.57.3.3 (L2) Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'
+ NA ADD 19.7.40 (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
+ NF ADD 5 (L2) Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled'
+ Yes ADD 18.6.8 (L1) Ensure 'Require Encryption' is set to 'Enabled'
+ Yes ADD 18.10.91 (L2) Ensure 'Allow mapping folders into Windows Sandbox' is set to 'Disabled'
X Yes MOVE 18.4.1 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled' TO 18.7
X Yes REMOVE 18.10.42 Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'
X Yes REMOVE 18.10.15 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
X Yes REMOVE 18.10.66 (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'
X Yes REMOVE 2.3.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
X Yes REMOVE 18.9.7.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC0C0A'
X Yes REMOVE 18.9.7 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)
X Yes REMOVE 18.9.7 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'
X Yes REMOVE 5 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'
X Yes REMOVE 5 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'
X Yes REMOVE 5 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'
X Yes REMOVE 5 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'
X Yes REMOVE 18.6.4 (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
X Yes RENAME 2.2 (L1) Configure 'Create symbolic links' TO (L1) Ensure 'Create symbolic links' is set to 'Administrators'23528
X Yes RENAME 2.2 (L2) Configure 'Log on as a service' TO (L2) Ensure 'Log on as a service' is configured
+ Yes RENAME 18.10.82.1 (L1) Ensure 'Enable MPR notifications for the system' TO 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.'
X Yes UPDATE 18.10.17 (L1 -> L2) Ensure 'Enable App Installer' is set to 'Disabled'
X Yes UPDATE 18.4 (L1) Ensure 'Enable Certificate Padding' TO Allow REGDWORD or REGSZ
X NA UPDATE 18.9.26 Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'
? Unknown UPDATE Section 17 Auditpol commands to use Policy GUIDs
? Unknown UPDATE 18.4 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'
? Unknown UPDATE Section changes from Windows 11 Release 23H2 v2.0 Administrative Templates
? Unknown UPDATE Section changes from Windows 11 Release 24H2 Administrative Templates
? Unknown UPDATE User Overview (Section 19)
? Unknown UPDATE Profile Names
? Unknown UPDATE General Overview and Intended Audience Section
? Unknown UPDATE BitLocker Operating System Drive Section
? Unknown UPDATE 18.10.93.4 (L1) Ensure 'Enable optional updates' is set to 'Disabled'

@dantecatalfamo dantecatalfamo changed the title Removals/renaming Windows 11 Enterprise CIS 4. May 15, 2025
@dantecatalfamo dantecatalfamo changed the title Windows 11 Enterprise CIS 4. Windows 11 Enterprise CIS 4.0 May 15, 2025
sgress454
sgress454 reviewed May 22, 2025
View reviewed changes
Copy link
Contributor

@sgress454 sgress454 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is still in draft but to get ahead of it I tried using fleetctl apply and it complained that there were two CIS - Ensure 'Turn off Windows Copilot' is set to 'Enabled' policies. Once I removed one of them apply worked!

@dantecatalfamo dantecatalfamo marked this pull request as ready for review May 22, 2025 14:52
@fleet-release fleet-release requested a review from sharon-fdm May 22, 2025 14:52
@sgress454
Copy link
Contributor

Outstanding -- I think it'd be worth briefly documenting (in this ticket or elsewhere) how you went about this work, so whoever gets the next ticket like this can benefit from your experience.

I pointed my Windows 11 VM at these. Of the 555 policies here, 75 of them returned errors. A brief sampling found that the failures were due to missing mdm_bridge or cis_audit tables. Can you confirm that this is expected on a non-MDM-enabled Windows machine?

sgress454
sgress454 approved these changes May 22, 2025
View reviewed changes
Copy link
Contributor

@sgress454 sgress454 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 pending reply to my comment above re: some policies returning errors

@dantecatalfamo
Copy link
Member Author

@sgress454 I only tested the policies that I added as part of this ticket, if there are bugs with some of the older policies I'm not sure

@dantecatalfamo
Copy link
Member Author

@sgress454 I also tested on Windows 11 Enterprise, which gave has different policy options from wind 11 home

@dantecatalfamo
Copy link
Member Author

I just copy/pasted the list of changes from the changelog at the end of the 4.0 document into a table and went through them one by one, there was no greater process unfortunately

@dantecatalfamo dantecatalfamo merged commit 0b6ee93 into main May 22, 2025
5 checks passed
@dantecatalfamo dantecatalfamo deleted the 27396-win-11-cis-4 branch May 22, 2025 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgress454 sgress454 sgress454 approved these changes

@sharon-fdm sharon-fdm Awaiting requested review from sharon-fdm

Assignees

@sgress454 sgress454

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dantecatalfamo @sgress454
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy