[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Windows 2025, published 2026-04-30

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Thu Apr 30 07:15:59 PDT 2026 

Product:
BigFix Compliance

Title:
Updated CIS Checklist for Windows 2025.

Security Benchmark:
CIS Microsoft Windows Server 2025 Benchmark, V2.0.0

Published Sites:
CIS Checklist for Windows 2025 DC, site version 5.
CIS Checklist for Windows 2025 MS, site version 7.
(The site version is provided for air-gap customers.)

*Details: CIS Checklist for Windows 2022 MS*

●       Total New Fixlets: 8

●       Total Updated Fixlets:16

●       Total Deleted Fixlets: 17

●       Total Fixlets in Site: 421





*ADDED*

●       Ensure 'Disable HTTP proxy features: Disable proxy authentication'
is set to 'Enabled: Disable authentication over loopback interfaces'

●       Ensure 'Disable HTTP proxy features: Disable WPAD' is set to
'Enabled: Checked'

●       Ensure 'Require IPPS for IPP printers' is set to 'Enabled'

●       Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate authority' is set to 'Enabled: Checked'

●       Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate common name' is set to 'Enabled: Checked'

●       18.7 Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate date' is set to 'Enabled: Checked'

●       Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
non-server certificates' is set to 'Enabled: Checked'

●       Ensure 'Enable / disable CLFS logfile authentication' is set to
'Enabled'

*UPDATED*

·        *(L1) Ensure 'Prevent device metadata retrieval from the Internet'*

·        (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and

·        Failure' TO 'Success'



·        Ensure 'Enable OneSettings Auditing' is set to 'Enabled'



·        Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' TO

·        L1->L2



·        Ensure 'Limit Dump Collection' is set to 'Enabled' TO L1->L2



·        (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' TO 'L2->L1'

·        and 'Disabled->Enabled'



·        (L1) Ensure 'Password Settings: Password Complexity' is set to
'Enabled: Large letters + small letters + numbers + special characters' TO
include Passphrases



·        Ensure 'Post-authentication actions: Actions' is set to 'Enabled:

·        Reset the password and logoff the managed account' or higher



·        Ensure 'Configure validation of ROCA-vulnerable WHfB keys during

·        authentication' is set to 'Enabled: Audit' or higher (DC only) TO
'Block'



·        (L1) Ensure 'Impersonate a client after authentication' is set to

·        'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and
(when the Web Server (IIS) Role with Web Services Role Service is
installed) 'IIS_IUSRS' (MS only) TO include RESTRICTED
SERVICES\PrintSpoolerService



·        Ensure 'Generate security audits' is set to 'LOCAL SERVICE,
NETWORK SERVICE' TO include RESTRICTED SERVICES\PrintSpoolerService



·        (L1) Ensure 'Network access: Allow anonymous SID/Name translation'

·        is set to 'Disabled'



·        Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is

·        set to 'Disabled'



·        Ensure 'Windows Firewall: Domain: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\domainfw.log' TO is configured

·        \ Ensure 'Windows Firewall: Private: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\privatefw.log' TO is configured



·        Ensure 'Windows Firewall: Public: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\publicfw.log' TO is configured





●       *DELETED*

●      (L1) Ensure 'Turn off Microsoft consumer experiences' is set to
'Enabled'

●      (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'

●      (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set
to 'Enabled'

●      Ensure 'Turn on Basic feed authentication over HTTP' is set
to'Disabled'

●      (L1) Ensure 'Select when Preview Builds and Feature Updates are
received' is set to 'Enabled: 180 or more days'

●      (L1) Ensure 'WDigest Authentication' is set to 'Disabled'

●      Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the
screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'

●      (L1) Ensure 'Configure registry policy processing: Do not apply
during periodic background processing' is set to 'Enabled: FALSE'

●      (L1) Ensure 'Configure registry policy processing: Process even if
the Group Policy objects have not changed' is set to 'Enabled: TRUE'

●      Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to
'Disabled'

●      (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'

●      (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL
SERVICE, Users'

●      (L1) Ensure 'Network security: Do not store LAN Manager hash value
on next password change' is set to 'Enabled'

●      Ensure 'Domain controller: LDAP server signing requirements' is set
to 'Require signing' (DC only)

●      (L1) Ensure 'Microsoft network client: Digitally sign communications
(if server agrees)' is set to 'Enabled'

●      (L1) Ensure 'Microsoft network server: Digitally sign communications
(if client agrees)' is set to 'Enabled'

●      (L1) Ensure 'Always install with elevated privileges' is set to
'Disabled'

●      Both analysis and remediation checks are included

●      Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.

Actions to take:

●      To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 11.0.3
and later.

●      If you use custom sites, update your custom sites accordingly to use
the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcl-software.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>

More information:

To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●      BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance

●      BigFix Compliance SCM Checklists:
Welcome to Wikis
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>

We hope you find this latest release of SCM content useful and effective.
Thank you!

*– The BigFix Compliance team.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260430/aecf6baf/attachment.html>

More information about the Besadmin-announcements mailing list