[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Windows 11, published 2025-06-23
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Tue Jun 24 10:12:26 PDT 2025
*Product:*
BigFix Compliance
*Title:*
Updated *CIS Checklist for Windows 11* to support a more recent version of
the benchmark.
*Security Benchmark:*
CIS Microsoft Windows 11 Enterprise Benchmark, V4.0.0
*Published Sites:*
CIS Checklist for Windows 11, site version 11
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 93
● Total Updated Fixlets:7
● Total Deleted Fixlets: 9
● Total Fixlets in Site: 568
● *ADDED*
o (L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc)' is set to 'Disabled'
o (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to
'Disabled'
o (L1) Ensure 'Network security: LDAP client encryption requirements'
is set to 'Negotiate sealing' or higher
o (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to
'Disabled'
o (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'
o (L1) Ensure 'Audit client does not support encryption' is set to
'Enabled'
o (L1) Ensure 'Audit client does not support signing' is set to
'Enabled'
o (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'
o (L1) Ensure 'Enable authentication rate limiter' is set to 'Enabled'
o (L1) Ensure 'Enable remote mailslots' is set to 'Disabled'
o (L1) Ensure 'Mandate the minimum version of SMB' is set to
'Enabled: 3.1.1'
o (L1) Ensure 'Set authentication rate limiter delay (milliseconds)'
is set to 'Enabled: 2000' or more
o (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'
o (L1) Ensure 'Audit server does not support encryption' is set to
'Enabled'
o (L1) Ensure 'Audit server does not support signing' is set to
'Enabled'
o (L1) Ensure 'Enable remote mailslots' is set to 'Disabled'
o (L1) Ensure 'Mandate the minimum version of SMB' is set to
'Enabled: 3.1.1'
o (L2) Ensure 'Configure Windows protected print' is set to 'Enabled'
o (L1) Ensure 'Configure the behavior of the sudo command' is set to
'Enabled: Disabled'
o (L1) Ensure 'Block NetBIOS-based discovery for domain controller
location' is set to 'Enabled'
o (L1) Ensure 'Configure SAM change password RPC methods policy' is
set to 'Enabled: Block all change password RPC methods'23728
o (L2) Ensure 'Turn off API Sampling' is set to 'Enabled'
o (L2) Ensure 'Turn off Application Footprint' is set to 'Enabled'
o (L2) Ensure 'Turn off Install Tracing' is set to 'Enabled'
o (L1) Ensure 'Not allow per-user unsigned packages to install by
default (requires explicitly allow per install)' is set to 'Enabled'
o (L1) Ensure 'Enable App Installer Local Archive Malware Scan
Override' is set to 'Disabled'
o (L1) Ensure 'Enable App Installer Microsoft Store Source
Certificate Validation Bypass' is set to 'Disabled'
o (L2) Ensure 'Enable Windows Package Manager command line
interfaces' is set to 'Disabled'
o (L1) Ensure 'Do not apply the Mark of the Web tag to files copied
from insecure sources' is set to 'Disabled'
o (L1) Ensure 'Control whether exclusions are visible to local users'
is set to 'Enabled'23754
o (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'
o (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'
o (L1) Ensure 'Configure real-time protection and Security
Intelligence Updates during OOBE' is set to 'Enabled'
o (L2) Ensure 'Configure Brute-Force Protection aggressiveness' is
set to 'Enabled: Medium' or higher
o (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to
'Enabled: Audit' or higher
o (L2) Ensure 'Configure how aggressively Remote Encryption
Protection blocks threats' is set to 'Enabled: Medium' or higher
o (L1) Ensure 'Scan excluded files and directories during quick
scans' is set to 'Enabled: 1'
o (L1) Ensure 'Trigger a quick scan after X days without any scans'
is set to 'Enabled: 7'
o (L2) Ensure 'Restrict clipboard transfer from server to client' is
set to 'Enabled: Disable clipboard transfers from server to client'
o (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
o (L2) Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled'
o (L1) Ensure 'Require Encryption' is set to 'Enabled'
o (L2) Ensure 'Allow mapping folders into Windows Sandbox' is set to
'Disabled'
o (BL) Ensure 'Allow access to BitLocker-protected fixed data drives
from earlier versions of Windows' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Allow data recovery agent' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or
higher
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Allow data recovery agent' is set to 'Enabled: True'
o (BL) Ensure 'Prevent installation of devices using drivers that
match these device setup classes: Prevent installation of devices using
drivers for these device setup' is set to 'IEEE 1394 device setup classes'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Save BitLocker recovery information to AD DS for removable data
drives' is set to 'Enabled: False'
o (BL) Ensure 'Configure use of smart cards on removable data drives:
Require use of smart cards on removable data drives' is set to 'Enabled:
True'
o (BL) Ensure 'Deny write access to removable drives not protected by
BitLocker: Do not allow write access to devices configured in another
organization' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered' is set to 'Enabled'
o (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
o (BL) Ensure 'Configure use of hardware-based encryption for
removable data drives' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery
password' or higher
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit
recovery password'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Save BitLocker recovery information to AD DS for
operating system drives' is set to 'Enabled: True'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Allow data recovery agent' is set to 'Enabled: True'
o (BL) Ensure 'Require additional authentication at startup' is set
to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit
recovery key'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Do not enable BitLocker until recovery information is
stored to AD DS for operating system drives' is set to 'Enabled: True'
o (BL) Ensure 'Enumeration policy for external devices incompatible
with Kernel DMA Protection' is set to 'Enabled: Block All'
o (BL) Ensure 'Allow access to BitLocker-protected removable data
drives from earlier versions of Windows' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery
key'
o (BL) Ensure 'Require additional authentication at startup: Allow
BitLocker without a compatible TPM' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit
recovery password'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Do not enable BitLocker until recovery information is stored to
AD DS for fixed data drives' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Configure storage of BitLocker recovery information to AD DS' is
set to 'Enabled: Backup recovery passwords and key packages'
o (BL) Ensure 'Configure use of smart cards on removable data drives'
is set to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Configure storage of BitLocker recovery information to AD
DS:' is set to 'Enabled: Store recovery passwords and key packages'
o (BL) Ensure 'Configure use of smart cards on fixed data drives:
Require use of smart cards on fixed data drives' is set to 'Enabled: True'
o (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on
battery)' is set to 'Disabled'
o (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged
in)' is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Configure storage of BitLocker recovery information to AD DS:'
is set to 'Enabled: Backup recovery passwords and key packages'
o (BL) Ensure 'Allow Secure Boot for integrity validation' is set to
'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Do not enable BitLocker until recovery information is stored to
AD DS for removable data drives' is set to 'Enabled: False'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered' is set to 'Enabled'
o (BL) Ensure 'Prevent installation of devices using drivers that
match these device setup classes' is set to 'Enabled'
o (BL) Ensure 'Configure use of passwords for fixed data drives' is
set to 'Disabled'
o (BL) Ensure 'Configure use of hardware-based encryption for fixed
data drives' is set to 'Disabled'
o (BL) Ensure 'Interactive logon: Machine account lockout threshold'
is set to '10 or fewer invalid logon attempts, but not 0'
o (BL) Ensure 'Configure use of passwords for removable data drives'
is set to 'Disabled'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Save BitLocker recovery information to AD DS for fixed data
drives' is set to 'Enabled: False'
o (BL) Ensure 'Configure use of passwords for operating system
drives' is set to 'Disabled'
o (BL) Ensure 'Configure use of smart cards on fixed data drives' is
set to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected removable drives can be
recovered: Omit recovery options from the BitLocker setup wizard' is set to
'Enabled: True'
o (BL) Ensure 'Configure use of hardware-based encryption for
operating system drives' is set to 'Disabled'
o (BL) Ensure 'Disable new DMA devices when this computer is locked'
is set to 'Enabled'
o (BL) Ensure 'Deny write access to removable drives not protected by
BitLocker' is set to 'Enabled'
o (BL) Ensure 'Choose how BitLocker-protected operating system drives
can be recovered: Omit recovery options from the BitLocker setup wizard' is
set to 'Enabled: True'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered: Omit recovery options from the BitLocker setup wizard' is set to
'Enabled: True'
o (BL) Ensure 'Choose how BitLocker-protected fixed drives can be
recovered' is set to 'Enabled'
o (BL) Ensure 'Prevent installation of devices using drivers that
match these device setup classes: Also apply to matching devices that are
already installed.' is set to 'True' (checked)
● *UPDATED*
o (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'
o (L2) Ensure 'Enable App Installer' is set to 'Disabled'
o (L1) Ensure 'Configures LSASS to run as a protected process' is set
to 'Enabled: Enabled with UEFI Lock'
o (L1) Ensure 'Enable optional updates' is set to 'Disabled'
o (L1) Ensure 'Configure the transmission of the user's password in
the content of MPR notifications sent by winlogon.' is set to 'Disabled'
o (L1) Ensure 'Create symbolic links' is set to 'Administrators'
o (L2) Ensure 'Log on as a service' is configured
● *DELETED*
o (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to
'Disabled'
o (L1) Ensure 'Toggle user control over Insider builds' is set to
'Disabled'
o (L1) Ensure 'Only display the private store within the Microsoft
Store' is set to 'Enabled'
o (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users
can't add or log on with Microsoft accounts'
o (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to
'Disabled'
o (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'
o (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to
'Disabled'
o (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)'
is set to 'Disabled'
o (L1) Ensure ‘Configure DNS over HTTPS (DoH) name resolution' is set
to 'Enabled: Allow DoH' or higher
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see
https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>
● BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250624/06ed5ab7/attachment.html>
More information about the Besadmin-announcements
mailing list