[BESAdmin-Announcements] BigFix Compliance: Updated Universal Checklist for Windows Workstation, published 2026-06-22
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Thu Jun 25 07:42:43 PDT 2026
*Product:*
BigFix Compliance
*Title:*
Updated Universal Checklist for Windows Workstation to support more recent
versions of CIS and DISA benchmarks.
*Published Sites:*
Universal Checklist for Windows Workstation, site version 2
(The site version is provided for air-gap customers.)
*Details: Universal Checklist for Windows Workstation*
● *Total Fixlets: 656*
● *Total New Fixlets: 31*
● *Total Updated Fixlets:32*
● *Total Deleted Fixlets: 2*
● *Fixlets with Remediation: 632*
● *Parameterized Fixlets : 532*
● *Benchmark Sources: CIS and DISA STIGs*
● *Applies To: Windows Workstation 10 & 11*
*ADDED*
● Ensure 'Require IPPS for IPP printers' is set to 'Enabled'
● Ensure 'Enable / disable CLFS logfile authentication' is set to
'Enabled'
● Ensure 'Allow Recall to be enabled' is set to 'Disabled'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate authority' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
non-server certificates' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate common name' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate date' is set to 'Enabled: Checked'
● Ensure 'Disable HTTP proxy features: Disable WPAD' is set to
'Enabled: Checked'
● Ensure 'Disable HTTP proxy features: Disable proxy authentication'
is set to 'Enabled: Disable authentication over loopback interfaces'
● Windows Workstation must be configured to audit file system
failures.
● Windows Workstation must be configured to audit file system
successes.
● Windows Workstation must be configured to audit handle manipulation
failures.
● Windows Workstation must be configured to audit handle manipulation
successes.
● Windows Workstation must be configured to audit registry failures.
● Windows Workstation must be configured to audit registry successes.
● The Secondary Logon service must be disabled on Windows 10.
● Windows Telemetry must not be configured to Full.
● Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK
SERVICE, RESTRICTED SERVICES\PrintSpoolerService'
● Ensure 'Impersonate a client after authentication' is set to
'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, RESTRICTED
SERVICES\PrintSpoolerService'
● Ensure 'Windows Firewall: Domain: Logging: Name' is configured
● Ensure 'Windows Firewall: Private: Logging: Name' is configured
● Ensure 'Windows Firewall: Public: Logging: Name' is configured
● Ensure 'Prevent automatic download of applications associated with
device metadata' is set to 'Enabled'
● Ensure 'Password Settings: Password Complexity' is set to 'Enabled:
Large letters + small letters + numbers + special characters' or
'Passphrase'
● Ensure 'Post-authentication actions: Actions' is set to 'Enabled:
Reset the password and logoff the managed account' or higher (B)
● Ensure 'Let Windows apps activate with voice while the system is
locked' is set to 'Enabled: Force Deny'
● Ensure 'Configure local setting override for reporting to Microsoft
MAPS' is set to 'Disabled'
● Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to
'Disabled' or 'Not Installed'
● Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' or
'Not Installed'
● Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to
'Disabled' or 'Not Installed'
● Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set
to 'Disabled' or 'Not Installed'
*REMOVED*
● Data Execution Prevention (DEP) must be configured to at least
OptOut.
● The built-in administrator account must be disabled.
*UPDATED*
● Ensure 'Account lockout duration' is set to '15 or more minute(s)'
● Ensure 'Adjust memory quotas for a process' is set to
'Administrators, LOCAL SERVICE, NETWORK SERVICE'
● Ensure 'Replace a process level token' is set to 'LOCAL SERVICE,
NETWORK SERVICE'
● Configure 'Accounts: Rename administrator account'
● Configure 'Accounts: Rename guest account'
● Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to
'Disabled'
● Ensure 'Enable Certificate Padding' is set to 'Enabled'
● Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
● Ensure 'Limit Dump Collection' is set to 'Enabled'
● Ensure 'Prevent the usage of OneDrive for file storage' is set to
'Enabled'
● Ensure 'Allow widgets' is set to 'Disabled'
● Credential Guard must be running on Windows Workstation
domain-joined systems.
● Windows Workstation must be configured to prevent certificate error
overrides in Microsoft Edge.
● Windows Workstation must be configured to audit Other Policy Change
Events Successes.
● Ensure 'Disable new DMA devices when this computer is locked' is
set to 'Enabled'
● Ensure 'Microsoft network client: Digitally sign communications (if
server agrees)' is set to 'Enabled'
● Ensure 'Microsoft network server: Digitally sign communications (if
client agrees)' is set to 'Enabled'
● Ensure 'Network security: Do not store LAN Manager hash value on
next password change' is set to 'Enabled'
● Ensure 'Select when Preview Builds and Feature Updates are
received' is set to 'Enabled: 180 or more days'
● Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
● Ensure 'Always install with elevated privileges' is set to
'Disabled' FROM User Section
● Ensure 'Change the time zone' is set to 'Administrators, LOCAL
SERVICE, Users'
● Ensure 'Turn off Windows Copilot' is set to 'Enabled'
● Ensure 'Configure registry policy processing: Do not apply during
periodic background processing' is set to 'Enabled: FALSE'
● Ensure 'Configure registry policy processing: Process even if the
Group Policy objects have not changed' is set to 'Enabled: TRUE'
● Ensure 'Interactive logon: Machine account lockout threshold' is
set to '10 or fewer invalid logon attempts, but not 0'
● Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires' is set to 'Enabled: 5 or fewer
seconds'
● Ensure 'WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc)' is set to 'Disabled'
● Ensure 'Configure use of passwords for operating system drives' is
set to 'Disabled'
● Ensure 'Require additional authentication at startup: Allow
BitLocker without a compatible TPM' is set to 'Enabled: False'
● Ensure 'Require additional authentication at startup' is set to
'Enabled'
● Ensure 'Turn on Basic feed authentication over HTTP' is set to
'Disabled'
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.
● * If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see*
*Using the Synchronize Custom Checks wizard*
<https://help.hcl-software.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>
Use the SCM Synchronize Custom Checks wizard to update any custom checks in
your deployment whose external sources have since been updated by HCL. You
can use any additional functionality or bug fixes ...
More information:
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
*BigFix Forum: *
*https://forum.bigfix.com/c/release-announcements/compliance*
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>
*BigFix Compliance SCM Checklists: *
*https://forum.bigfix.com/t/universal-compliance-checklist/54703*
<https://forum.bigfix.com/t/universal-compliance-checklist/54703>
*We hope you find this latest release of SCM content useful and effective.
Thank you!*
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260625/24006ca4/attachment.html>
More information about the Besadmin-announcements
mailing list