[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Windows 2016, published 2026-03-19

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Mon Mar 23 11:32:31 PDT 2026 

*Product:*
BigFix Compliance

*Title:*
Updated CIS Checklist for Windows 2016

*Security Benchmark:*
CIS Microsoft Windows Server 2016 Benchmark, V4.0.0.

*Published Sites:*
CIS Checklist for Windows 2016 MS, site version 22.
(The site version is provided for air-gap customers.)

*Details:*

●       Total New Fixlets: 13

●       Total Updated Fixlets:5

●       Total Deleted Fixlets: 2

●       Total Fixlets in Site: 387

●       *NEW FIXLET*

o       (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to
'Disabled'

o       (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to
'Disabled'

o       (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to
'Enabled'

o       (L1) Ensure 'Do not apply the Mark of the Web tag to files copied
from insecure sources' is set to 'Disabled'

o       (L1) Ensure 'Control whether exclusions are visible to local users'
is set to 'Enabled'

o       (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'

o       (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'

o       (L1) Ensure 'Configure real-time protection and Security
Intelligence Updates during OOBE' is set to 'Enabled'

o       (L2) Ensure 'Configure Brute-Force Protection aggressiveness' is
set to 'Enabled: Medium' or higher

o       (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to
'Enabled: Audit' or higher

o       (L2) Ensure 'Configure how aggressively Remote Encryption
Protection blocks threats' is set to 'Enabled: Medium' or higher

o       (L1) Ensure 'Scan excluded files and directories during quick
scans' is set to 'Enabled: 1'

o       (L1) Ensure 'Trigger a quick scan after X days without any scans'
is set to 'Enabled: 7'



●       *UPDATED FIXLET*

○       (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled''

○       (L1) Ensure 'Configure RPC packet level privacy setting for
incoming connections' is set to 'Enabled' (moved from 18.4.1 to 18.7.8)

○       (L1) Ensure 'Network access: Named Pipes that can be accessed
anonymously' is configured (MS only)  - Renamed

○       (L1)Ensure 'Network access: Remotely accessible registry paths' is
configured - Renamed

○       (L1)Ensure 'Network access: Remotely accessible registry paths and
sub-paths' is configured  - Renamed

●       *DELETED FIXLET*

○       (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to
'Disabled'

○        (L1) Ensure 'Toggle user control over Insider builds' is set to
'Disabled'


*Published Sites:*
CIS Checklist for Windows 2016 DC, site version 22.
(The site version is provided for air-gap customers.)

*Details:*

●       Total New Fixlets: 13

●       Total Updated Fixlets:5

●       Total Deleted Fixlets: 2

●       Total Fixlets in Site: 384



●       *NEW FIXLET*

o       (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to
'Disabled'

o       (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to
'Disabled'

o       (L2) Ensure 'Turn off default IPv6 DNS Servers' is set to
'Enabled'

o       (L1) Ensure 'Do not apply the Mark of the Web tag to files copied
from insecure sources' is set to 'Disabled'

o       (L1) Ensure 'Control whether exclusions are visible to local users'
is set to 'Enabled'

o       (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'

o       (L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'

o       (L1) Ensure 'Configure real-time protection and Security
Intelligence Updates during OOBE' is set to 'Enabled'

o       (L2) Ensure 'Configure Brute-Force Protection aggressiveness' is
set to 'Enabled: Medium' or higher

o       (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to
'Enabled: Audit' or higher

o       (L2) Ensure 'Configure how aggressively Remote Encryption
Protection blocks threats' is set to 'Enabled: Medium' or higher

o       (L1) Ensure 'Scan excluded files and directories during quick
scans' is set to 'Enabled: 1'

o       (L1) Ensure 'Trigger a quick scan after X days without any scans'
is set to 'Enabled: 7'



●       *UPDATED FIXLET*

○       (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled''

○       (L1) Ensure 'Configure RPC packet level privacy setting for
incoming connections' is set to 'Enabled' (moved from 18.4.1 to 18.7.8)

○       (L1) Ensure 'Network access: Named Pipes that can be accessed
anonymously' is configured (DC only)  - Renamed

○       (L1)Ensure 'Network access: Remotely accessible registry paths' is
configured - Renamed

○       (L1)Ensure 'Network access: Remotely accessible registry paths and
sub-paths' is configured  - Renamed

●       *DELETED FIXLET*

○       (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to
'Disabled'

○        (L1) Ensure 'Toggle user control over Insider builds' is set to
'Disabled'







●       Metadata has been incorporated into all the checks.

●       Both analysis and remediation checks are included

●       Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.



*Actions to take:*

●       To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.

●       If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see
https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html?hl=using%2Csynchronize%2Ccustom%2Cchecks%2Cwizard

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●       BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C61ec2d6bab7045a6665a08da698269dc%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637938306089268982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lZlCjKlTnGZJa3%2Bj3qG%2BCnAoYrbdp3vJhKfbSIBzAk8%3D&reserved=0>

●       BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Den-us%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C61ec2d6bab7045a6665a08da698269dc%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637938306089268982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=85r4DuoxmRhQGtFLNdDeWVnEczSvEM%2BtlYxQcbAAdCU%3D&reserved=0>

We hope you find this latest release of SCM content useful and effective.

Thank you!

– The BigFix Compliance team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260323/63886981/attachment.html>

More information about the Besadmin-announcements mailing list