[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Windows 11, published 2026-03-23
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Mon Mar 23 07:36:18 PDT 2026
*Product:*
BigFix Compliance
*Title:*
Updated *CIS Checklist for Windows 11* to support a more recent version of
the benchmark.
*Security Benchmark:*
CIS Microsoft Windows 11 Enterprise Benchmark, V5.0.0
*Published Sites:*
CIS Checklist for Windows 11, site version 15
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 14
● Total Updated Fixlets:35
● Total Deleted Fixlets: 31
● Total Fixlets in Site: 560
● *ADDED*
o Ensure 'Require IPPS for IPP printers' is set to 'Enabled'
o Ensure 'Enable / disable CLFS logfile authentication' is set to
'Enabled'
o Ensure 'Allow Recall to be enabled' is set to 'Disabled'
o Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate authority' is set to 'Enabled: Checked'
o Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
non-server certificates' is set to 'Enabled: Checked'
o Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate common name' is set to 'Enabled: Checked'
o Ensure 'Set TLS/SSL security policy for IPP printers: Disallow
invalid certificate date' is set to 'Enabled: Checked'
o Ensure 'Disable HTTP proxy features: Disable WPAD' is set to
'Enabled: Checked'
o Ensure 'Disable HTTP proxy features: Disable proxy authentication'
is set to 'Enabled: Disable authentication over loopback interfaces'
● *UPDATED*
o (L1) Ensure 'Network access: Allow anonymous SID/Name translation'
is set to 'Disabled'
o (L1) Ensure 'Configures LSASS to run as a protected process' is set
to 'Enabled: Enabled with UEFI Lock'
o (L1) Ensure 'Join Microsoft MAPS' is set to 'Disabled'
o (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success’
o (L1) Ensure 'Password Settings: Password Complexity' is set to
'Enabled: Large letters + small letters + numbers + special characters' or
'Passphrase'
o (L2) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set
to 'Disabled'
o (L1) Ensure 'Prevent automatic download of applications associated
with device metadata'
o (L1) Ensure 'Impersonate a client after authentication' is set to
'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' TO include
'RESTRICTED SERVICES\PrintSpoolerService'
o (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to
o '%SystemRoot%\System32\logfiles\firewall\domainfw.log' TO is
configured
o (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\privatefw.log' TO is configured
o (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to
'%SystemRoot%\System32\logfiles\firewall\publicfw.log' TO is configured
o (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to
'Disabled' or 'Not Installed'
o (L2) Ensure 'Prevent the usage of OneDrive for file storage' is set
to 'Enabled'
o (L2) Ensure 'Allow widgets' is set to 'Disabled'
o Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK
SERVICE', RESTRICTED SERVICES\PrintSpoolerService
o Ensure 'Post-authentication actions: Actions' is set to 'Enabled:
Reset the password and logoff the managed account' or higher
o (L2) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
o (L2) Ensure 'Limit Dump Collection' is set to 'Enabled'
o Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to
'Disabled' or 'Not Installed'
o Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' or
'Not Installed'
o Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set
to 'Disabled' or 'Not Installed'
● *DELETED*
o (BL) Ensure 'Disable new DMA devices when this computer is locked'
is set to 'Enabled'
o (L1) Ensure 'Microsoft network client: Digitally sign
communications (if server agrees)' is set to 'Enabled'
o (L1) Ensure 'Microsoft network server: Digitally sign
communications (if client agrees)' is set to 'Enabled'
o (L1) Ensure 'Network security: Do not store LAN Manager hash value
on next password change' is set to 'Enabled'
o (L1) Ensure 'Select when Preview Builds and Feature Updates are
received' is set to 'Enabled: 180 or more days'
o (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
o (L1) Ensure 'Always install with elevated privileges' is set to
'Disabled' FROM User Section
o (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL
SERVICE, Users'
o (L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'
o (L1) Ensure 'Configure registry policy processing: Do not apply
during periodic background processing' is set to 'Enabled: FALSE'
o (L1) Ensure 'Configure registry policy processing: Process even if
the Group Policy objects have not changed' is set to 'Enabled: TRUE'
o (BL) Ensure 'Interactive logon: Machine account lockout threshold'
is set to '10 or fewer invalid logon attempts, but not 0'
o Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires' is set to 'Enabled: 5 or fewer
seconds'
o Ensure 'WinHTTP Web Proxy Auto-Discovery Service
(WinHttpAutoProxySvc)' is set to 'Disabled'
o Ensure 'Configure use of passwords for operating system drives' is
set to 'Disabled'
o Ensure 'Require additional authentication at startup: Allow
BitLocker without a compatible TPM' is set to 'Enabled: False'
o Ensure 'Require additional authentication at startup' is set to
'Enabled'
o Ensure 'Turn on Basic feed authentication over HTTP' is set to
'Disabled'
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see
https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>
● BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260323/10d02f1c/attachment.html>
More information about the Besadmin-announcements
mailing list