[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Windows 10, published 2025-07-23
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Thu Jul 24 05:45:01 PDT 2025
*Product:*
BigFix Compliance
*Title:*
Updated *CIS Checklist for Windows 10* to support a more recent version of
the benchmark.
*Security Benchmark:*
CIS Microsoft Windows 10 Enterprise Benchmark, V4.0.0
*Published Sites:*
CIS Checklist for Windows 10, site version 22
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 85
● Total Updated Fixlets:7
● Total Deleted Fixlets: 2
● Total Fixlets in Site: 545
● *ADDED*
o (L1) Ensure 'Require Encryption' is set to 'Enabled'
o (L1) Ensure 'Trigger a quick scan after X days without any scans'is
set to 'Enabled: 7'
o (L1) Ensure 'Scan excluded files and directories during quickscans'
is set to 'Enabled: 1'
o (L2) Ensure 'Configure how aggressively Remote EncryptionProtection
blocks threats' is set to 'Enabled: Medium' or higher
o (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to
'Enabled: Audit' or higher
o (L2) Ensure 'Configure Brute-Force Protection aggressiveness'is set
to 'Enabled: Medium' or higher
o (L1) Ensure 'Configure real-time protection and
SecurityIntelligence Updates during OOBE' is set to 'Enabled'
o (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'
o (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'
o (L1) Ensure 'Control whether exclusions are visible to local users'
is set to 'Enabled'
o (L1) Ensure 'Do not apply the Mark of the Web tag to files copied
from insecure sources' is set to 'Disabled'
o (L2) Ensure 'Enable Windows Package Manager command lineinterfaces'
is set to 'Disabled'
o (L1) Ensure 'Enable App Installer Microsoft Store Source
CertificateValidation Bypass' is set to 'Disabled'
o (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
o (L1) Ensure 'Enable App Installer Local Archive Malware
ScanOverride' is set to 'Disabled'
o (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'
o (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set
to'Disabled'
o (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set
to'Disabled'
o (L2) Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled'
o (NG) Ensure 'Allow auditing events in Microsoft Defender
Application Guard' is set to 'Enabled'
o (NG) Ensure 'Allow camera and microphone access in Microsoft
Defender Application Guard' is set to 'Disabled'
o (NG) Ensure 'Allow data persistence for Microsoft Defender
Application Guard' is set to 'Disabled'
o (NG) Ensure 'Allow files to download and save to the host operating
system from Microsoft Defender Application Guard' is set to 'Disabled'
o (NG) Ensure 'Configure Microsoft Defender Application Guard
clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable
clipboard operation from an isolated session to the host'
o (NG) Ensure 'Configures LSASS to run as a protected process' is set
to 'Enabled: Enabled with UEFI Lock'
o (NG) Ensure 'Turn on Microsoft Defender Application Guard in
Managed Mode' is set to 'Enabled: 1'
o (NG) Ensure 'Turn On Virtualization Based Security' is set to
'Enabled'
o (NG) Ensure 'Turn On Virtualization Based Security: Credential
Guard Configuration' is set to 'Enabled with UEFI lock'
o (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI
Memory Attributes Table' is set to 'True (checked)'
o (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch
Configuration' is set to 'Enabled'
o (NG) Ensure 'Turn On Virtualization Based Security: Select Platform
Security Level' is set to 'Secure Boot' or higher
o (NG) Ensure 'Turn On Virtualization Based Security: Virtualization
Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'
o (BL) Ensure 'Allow access to BitLocker-protected fixed data drives
from earlier versions of Windows' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Allow data recovery agent' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or
higher
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Allow data recovery agent' is set to 'Enabled: True'
o (BL) Ensure 'Prevent installation of devices using drivers that
match these device setup classes: Prevent installation of devices using
drivers for these device setup' is set to 'IEEE 1394 device setup classes'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Save BitLocker recovery information to AD DS for removable data
drives' is set to 'Enabled: False'
o (BL) Ensure 'Configure use of smart cards on removable data drives:
Require use of smart cards on removable data drives' is set to 'Enabled:
True'
o (BL) Ensure 'Deny write access to removable drives not protected by
BitLocker: Do not allow write access to devices configured in another
organization' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered' is set to 'Enabled'
o (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
o (BL) Ensure 'Configure use of hardware-based encryption for
removable data drives' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery
password' or higher
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit
recovery password'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Save BitLocker recovery information to AD DS for
operating system drives' is set to 'Enabled: True'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Allow data recovery agent' is set to 'Enabled: True'
o (BL) Ensure 'Require additional authentication at startup' is set
to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit
recovery key'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Do not enable BitLocker until recovery information is
stored to AD DS for operating system drives' is set to 'Enabled: True'
o (BL) Ensure 'Enumeration policy for external devices incompatible
with Kernel DMA Protection' is set to 'Enabled: Block All'
o (BL) Ensure 'Allow access to BitLocker-protected removable data
drives from earlier versions of Windows' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery
key'
o (BL) Ensure 'Require additional authentication at startup: Allow
BitLocker without a compatible TPM' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit
recovery password'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Do not enable BitLocker until recovery information is stored to
AD DS for fixed data drives' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Configure storage of BitLocker recovery information to AD DS' is
set to 'Enabled: Backup recovery passwords and key packages'
o (BL) Ensure 'Configure use of smart cards on removable data drives'
is set to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Configure storage of BitLocker recovery information to AD
DS:' is set to 'Enabled: Store recovery passwords and key packages'
o (BL) Ensure 'Configure use of smart cards on fixed data drives:
Require use of smart cards on fixed data drives' is set to 'Enabled: True'
o (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on
battery)' is set to 'Disabled'
o (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged
in)' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Configure storage of BitLocker recovery information to AD DS:'
is set to 'Enabled: Backup recovery passwords and key packages'
o (BL) Ensure 'Allow Secure Boot for integrity validation' is set to
'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Do not enable BitLocker until recovery information is stored to
AD DS for removable data drives' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered' is set to 'Enabled'
o (BL) Ensure 'Prevent installation of devices using drivers that
match these device setup classes' is set to 'Enabled'
o (BL) Ensure 'Configure use of passwords for fixed data drives' is
set to 'Disabled'
o (BL) Ensure 'Configure use of hardware-based encryption for fixed
data drives' is set to 'Disabled'
o (BL) Ensure 'Interactive logon: Machine account lockout threshold'
is set to '10 or fewer invalid logon attempts, but not 0'
o (BL) Ensure 'Configure use of passwords for removable data drives'
is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Save BitLocker recovery information to AD DS for fixed data
drives' is set to 'Enabled: False'
o (BL) Ensure 'Configure use of passwords for operating system
drives' is set to 'Disabled'
o (BL) Ensure 'Configure use of smart cards on fixed data drives' is
set to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Omit recovery options from the BitLocker setup wizard' is set to
'Enabled: True'
o (BL) Ensure 'Configure use of hardware-based encryption for
operating system drives' is set to 'Disabled'
o (BL) Ensure 'Disable new DMA devices when this computer is locked'
is set to 'Enabled'
o (BL) Ensure 'Deny write access to removable drives not protected by
BitLocker' is set to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Omit recovery options from the BitLocker setup wizard' is
set to 'Enabled: True'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Omit recovery options from the BitLocker setup wizard' is set to
'Enabled: True'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered' is set to 'Enabled'
o (BL) Ensure 'Prevent installation of devices using drivers that
match these device setup classes: Also apply to matching devices that are
already installed.' is set to 'True' (checked)
o (BL) Ensure 'Prevent installation of devices that match any of
these device IDs' is set to 'Enabled'
o (BL) Ensure 'Prevent installation of devices that match any of
these device IDs: Also apply to matching devices that are already
installed.' is set to 'True' (checked)
o (BL) Ensure 'Prevent installation of devices that match any of
these device IDs: Prevent installation of devices that match any of these
device IDs' is set to 'PCI\CC_0C0A'
● *UPDATED*
o (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'
o (L2) Ensure 'Enable App Installer' is set to 'Disabled'
o (L1) Ensure 'Configures LSASS to run as a protected process' is set
to 'Enabled: Enabled with UEFI Lock'
o (L1) Ensure 'Configure the transmission of the user's password in
the content of MPR notifications sent by winlogon.' is set to 'Disabled'
o (L1) Ensure 'Create symbolic links' is set to 'Administrators'
o (L2) Ensure 'Log on as a service' is configured
o (L1) Ensure 'Configure RPC packet level privacy setting for
incoming connections' is set to 'Enabled'
● *DELETED*
o (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to
'Disabled'
o (L1) Ensure 'Only display the private store within the Microsoft
Store' is set to 'Enabled'
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see
https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>
● BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250724/22205e0f/attachment.html>
More information about the Besadmin-announcements
mailing list