Thu Sep 11 07:22:42 PDT 2025

*Product:*
BigFix Compliance

*Title:*
Updated *CIS Checklist for Windows Server 2019 * to support a more recent
version of the benchmark.

*Security Benchmark:*

CIS Microsoft Windows Server 2019 Benchmark, V4.0.0

*Published Sites:*
CIS Checklist for Windows Server 2019 DC, site version 26

CIS Checklist for Windows Server 2019 MS, site version 22
(The site version is provided for air-gap customers.)

*Details: CIS Checklist for Windows Server 2019 DC*

●       Total New Fixlets: 22

●       Total Updated Fixlets:23

●       Total Deleted Fixlets: 3

●       Total Fixlets in Site: 402

*Details: CIS Checklist for Windows Server 2019 MS*

●       Total New Fixlets: 22

●       Total Updated Fixlets:23

●       Total Deleted Fixlets: 3

●       Total Fixlets in Site: 408

●      *ADDED*

o       (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to
'Disabled'

o       (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to
'Disabled'

o       (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'

o       (L1) Ensure 'Enable App Installer Local Archive Malware Scan
Override' is set to 'Disabled'

o       (L1) Ensure 'Enable App Installer Microsoft Store Source
Certificate Validation Bypass' is set to 'Disabled'

o       (L2) Ensure 'Enable Windows Package Manager command line
interfaces' is set to 'Disabled'

o       (L1) Ensure 'Do not apply the Mark of the Web tag to files copied
from insecure sources' is set to 'Disabled'

o       (L1) Ensure 'Control whether exclusions are visible to local users'
is set to 'Enabled'

o       (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'

o       (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'

o       (L1) Ensure 'Configure real-time protection and Security
Intelligence Updates during OOBE' is set to 'Enabled'

o       (L2) Ensure 'Configure Brute-Force Protection aggressiveness' is
set to 'Enabled: Medium' or higher

o       (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to
'Enabled: Audit' or higher

o       (L2) Ensure 'Configure how aggressively Remote Encryption
Protection blocks threats' is set to 'Enabled: Medium' or higher

o       (L1) Ensure 'Scan excluded files and directories during quick
scans' is set to 'Enabled: 1'

o       (L1) Ensure 'Trigger a quick scan after X days without any scans'
is set to 'Enabled: 7'

o       (NG) Ensure 'Turn On Virtualization Based Security: Virtualization
Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'

o       (NG) Ensure 'Turn On Virtualization Based Security: Select Platform
Security Level' is set to 'Secure Boot' or higher

o       (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch
Configuration' is set to 'Enabled'

o       (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI
Memory Attributes Table' is set to 'True (checked)'

o       (NG) Ensure 'Turn On Virtualization Based Security: Credential
Guard Configuration' is set to 'Disabled' (DC Only)

o       (NG) Ensure 'Turn On Virtualization Based Security: Credential
Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)

o       (NG) Ensure 'Turn On Virtualization Based Security' is set to
'Enabled'

●       *UPDATED*

o       (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'

o       (L1 -> L2) Ensure 'Enable App Installer' is set to 'Disabled'

o       (L1) Ensure 'Configure Attack Surface Reduction rules: Set the
state for each ASR rule' is configured

o       (L1) Ensure 'Network access: Remotely accessible registry paths and
sub-paths' is configured

o       L1) Ensure 'Network access: Remotely accessible registry paths' is
configured

o       (L1) Ensure 'Network access: Named Pipes that can be accessed
anonymously' is configured (DC only)

o       (L1) Ensure 'Network access: Named Pipes that can be accessed
anonymously' is configured (MS only)

o       (L1) Ensure 'Replace a process level token' is set to 'LOCAL
SERVICE, NETWORK SERVICE'

o       (L1) Ensure 'Adjust memory quotas for a process' is set to
'Administrators, LOCAL SERVICE, NETWORK SERVICE'

o       (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE,
NETWORK SERVICE'

o       (L1) Ensure 'Turn off toast notifications on the lock screen' is
set to 'Enabled'

o       (L2) Ensure 'Turn off Help Experience Improvement Program' is set
to 'Enabled'

o       (L1) Ensure 'Do not preserve zone information in file attachments'
is set to 'Disabled'

o       (L1) Ensure 'Notify antivirus programs when opening attachments' is
set to 'Enabled'

o       (L1) Ensure 'Configure Windows spotlight on lock screen' is set to
'Disabled'

o       (L1) Ensure 'Do not suggest third-party content in Windows
spotlight' is set to 'Enabled'

o       (L2) Ensure 'Do not use diagnostic data for tailored experiences'
is set to 'Enabled'

o       (L2) Ensure 'Turn off all Windows spotlight features' is set to
'Enabled'

o       (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to
'Enabled'

o       (L1) Ensure 'Prevent users from sharing files within their
profile.' is set to 'Enabled'

o       (L1) Ensure 'Always install with elevated privileges' is set to
'Disabled'

o       (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'

o       (L1) Ensure 'Enable password encryption' is set to 'Enabled'

●       *DELETED*

o       (L1) Ensure 'Toggle user control over Insider builds' is set to
'Disabled'

o       (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users
can't add or log on with Microsoft accounts'

o       (L1)Ensure 'Turn off Microsoft Defender AntiVirus' is set to
'Disabled'

●       Both analysis and remediation checks are included

●       Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.

*Actions to take:*

●      To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.

●       If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see

https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●       BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>

●       BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0>

We hope you find this latest release of SCM content useful and effective.
Thank you!

*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250911/450f9439/attachment.html>