[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Windows 2022, published 2026-04-17

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Fri Apr 17 14:11:35 PDT 2026 

*Product:*
BigFix Compliance

*Title:*
Updated *CIS Checklist for Windows 2022 *to support a more recent version
of the benchmark.

*Security Benchmark:*

CIS Microsoft Windows Server 2022 Benchmark, V5.0.0

*Published Sites:*
CIS Checklist for Windows 2022 DC, site version 15

CIS Checklist for Windows 2022 MS, site version 16
(The site version is provided for air-gap customers.)


*Details: CIS Checklist for Windows 2022 DC*

●       Total New Fixlets: 3

●       Total Updated Fixlets:13

●       Total Deleted Fixlets: 15

●       Total Fixlets in Site: 401



*Details: CIS Checklist for Windows 2022 MS*

●       Total New Fixlets: 3

●       Total Updated Fixlets:13

●       Total Deleted Fixlets: 15

●       Total Fixlets in Site: 406





●      *ADDED*

o       Ensure 'Disable HTTP proxy features: Disable proxy authentication'
is set to 'Enabled: Disable authentication over loopback interfaces'

o        Ensure 'Disable HTTP proxy features: Disable WPAD' is set to
'Enabled: Checked'

o       Ensure 'Enable / disable CLFS logfile authentication' is set to
'Enabled'

●       *UPDATED*

o       Ensure 'Enable OneSettings Auditing' is set to 'Enabled'

o       Ensure 'Limit Dump Collection' is set to 'Enabled'

o       Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled

o       Ensure 'Configure validation of ROCA-vulnerable WHfB keys during
authentication' is set to 'Enabled: Audit' or higher (DC only) TO 'Block'

o       Ensure 'Post-authentication actions: Actions' is set to 'Enabled:
Reset the password and logoff the managed account' or higher

o       Ensure 'Windows Firewall: Public: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\publicfw.log' TO is configured

o       Ensure 'Windows Firewall: Private: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\privatefw.log' TO is configured

o       Ensure 'Windows Firewall: Domain: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\domainfw.log' TO is configured

o       Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to
'Disabled'

o       (L1) Ensure 'Password Settings: Password Complexity' is set to
'Enabled: Large letters + small letters + numbers + special characters +
Passphrases

o       (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success'

o       (L2) Ensure 'Join Microsoft MAPS' is set to ‘Enabled'

o       (L1) Ensure 'Network access: Allow anonymous SID/Name translation'
is set to 'Disabled'







●       *DELETED*

o       Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set
to 'Disabled' from MS profile

o       Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires' is set to 'Enabled: 5 or fewer
seconds'

o       (L1) Ensure 'Configure registry policy processing: Process even if
the Group Policy objects have not changed' is set to 'Enabled: TRUE'

   - (L1) Ensure 'Configure registry policy processing: Do not apply during
   periodic background processing' is set to 'Enabled: FALSE'
   - (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL
   SERVICE, Users’
   - (L1) Ensure 'Always install with elevated privileges' is set to
   'Disabled'
   - (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
   - (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
   - (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to
   'Enabled'
   - (L1) Ensure 'Select when Preview Builds and Feature Updates are
   received' is set to 'Enabled: 180 or more days'
   - (L1) Ensure 'WDigest Authentication' is set to 'Disabled'
   - (L1) Ensure 'Network security: LDAP client encryption requirements' is
   set to 'Negotiate sealing' or higher
   - (L1) Ensure 'Turn off Microsoft consumer experiences' is set to
   'Enabled'
   - (L1) Ensure 'Microsoft network server: Digitally sign communications
   (if client agrees)' is set to 'Enabled'
   - (L1) Ensure 'Microsoft network client: Digitally sign communications
   (if server agrees)' is set to 'Enabled'



●       Both analysis and remediation checks are included

●       Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.



*Actions to take:*

●      To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.

●       If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see

https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●       BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>

●       BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0>

We hope you find this latest release of SCM content useful and effective.
Thank you!

*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260417/1475ddfd/attachment.html>

More information about the Besadmin-announcements mailing list