<div dir="ltr"><p class="MsoNormal" style="margin:0in;line-height:115%;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN"> </span></p>
<p class="MsoNormal" style="line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;margin:0in;font-size:11pt;font-family:Arial,sans-serif"><br></p>
<p class="MsoNormal" style="line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;margin:0in;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""> </span></b></p>
<p class="MsoNormal" style="line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;margin:0in;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Product:</span></b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""><br>
BigFix Compliance</span></p>
<p class="MsoNormal" style="margin:14pt 0in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Title:</span></b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""><br>
Updated <b>CIS Checklist for Windows 10</b>
to support a more recent version of the benchmark.</span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""></span></p>
<p class="MsoNormal" style="margin:14pt 0in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Security Benchmark:</span></b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""><br>
CIS Microsoft Windows 10 Enterprise Benchmark, V4.0.0</span><span lang="EN" style="font-size:12pt"></span></p>
<p class="MsoNormal" style="margin:14pt 0in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Published Sites:</span></b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""><br>
CIS Checklist for Windows 10, site version 22<br>
(The site version is provided for air-gap customers.)</span></p>
<p class="MsoNormal" style="margin:14pt 0in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10pt;font-family:Calibri,sans-serif;color:black"><br>
</span><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Details:</span></b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""></span></p>
<p class="MsoNormal" style="margin:14pt 0in 0.0001pt 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Total New Fixlets: 85</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Total Updated Fixlets:7</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Total Deleted Fixlets: 2</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Total Fixlets in Site: 545</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:12pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><b><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">ADDED</span></b><b><span lang="EN" style="font-size:12pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Require
Encryption' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Trigger a
quick scan after X days without any scans'is set to 'Enabled: 7'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Scan excluded
files and directories during quickscans' is set to 'Enabled: 1'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Configure how
aggressively Remote EncryptionProtection blocks threats' is set to 'Enabled:
Medium' or higher</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Configure
Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Configure
Brute-Force Protection aggressiveness'is set to 'Enabled: Medium' or higher</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Configure
real-time protection and SecurityIntelligence Updates during OOBE' is set to
'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Convert warn
verdict to block' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Enable EDR in
block mode' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Control
whether exclusions are visible to local users' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Do not apply
the Mark of the Web tag to files copied from insecure sources' is set to
'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Enable
Windows Package Manager command lineinterfaces' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Enable App
Installer Microsoft Store Source CertificateValidation Bypass' is set to
'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Turn off
Windows Copilot' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Enable App
Installer Local Archive Malware ScanOverride' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Turn off
default IPv6 DNS Servers' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Configure
multicast DNS (mDNS) protocol' is set to'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Turn on Basic
feed authentication over HTTP' is set to'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'GameInput
Service (GameInputSvc)' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Allow
auditing events in Microsoft Defender Application Guard' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Allow camera
and microphone access in Microsoft Defender Application Guard' is set to
'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Allow data
persistence for Microsoft Defender Application Guard' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Allow files
to download and save to the host operating system from Microsoft Defender
Application Guard' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Configure
Microsoft Defender Application Guard clipboard settings: Clipboard behavior
setting' is set to 'Enabled: Enable clipboard operation from an isolated
session to the host'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Configures
LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI
Lock'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn on
Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn On
Virtualization Based Security' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn On
Virtualization Based Security: Credential Guard Configuration' is set to
'Enabled with UEFI lock'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn On
Virtualization Based Security: Require UEFI Memory Attributes Table' is set to
'True (checked)'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn On
Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn On
Virtualization Based Security: Select Platform Security Level' is set to
'Secure Boot' or higher</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(NG) Ensure 'Turn On
Virtualization Based Security: Virtualization Based Protection of Code
Integrity' is set to 'Enabled with UEFI lock'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Allow access
to BitLocker-protected fixed data drives from earlier versions of Windows' is
set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Allow data
recovery agent' is set to 'Enabled: False'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Recovery Key' is set to
'Enabled: Allow 256-bit recovery key' or higher</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Allow data recovery agent'
is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Prevent
installation of devices using drivers that match these device setup classes:
Prevent installation of devices using drivers for these device setup' is set to
'IEEE 1394 device setup classes'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Save BitLocker recovery
information to AD DS for removable data drives' is set to 'Enabled: False'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of smart cards on removable data drives: Require use of smart cards on
removable data drives' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Deny write
access to removable drives not protected by BitLocker: Do not allow write
access to devices configured in another organization' is set to 'Enabled:
False'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Allow
enhanced PINs for startup' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of hardware-based encryption for removable data drives' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Recovery Password' is set to
'Enabled: Allow 48-digit recovery password' or higher</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Recovery
Password' is set to 'Enabled: Require 48-digit recovery password'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Save BitLocker
recovery information to AD DS for operating system drives' is set to 'Enabled:
True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Allow data recovery
agent' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Require
additional authentication at startup' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Recovery Key' is
set to 'Enabled: Do not allow 256-bit recovery key'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Do not enable
BitLocker until recovery information is stored to AD DS for operating system
drives' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Enumeration
policy for external devices incompatible with Kernel DMA Protection' is set to
'Enabled: Block All'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Allow access
to BitLocker-protected removable data drives from earlier versions of Windows'
is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Recovery Key' is set to
'Enabled: Do not allow 256-bit recovery key'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Require
additional authentication at startup: Allow BitLocker without a compatible TPM'
is set to 'Enabled: False'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Recovery Password' is
set to 'Enabled: Do not allow 48-digit recovery password'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Do not enable BitLocker
until recovery information is stored to AD DS for fixed data drives' is set to
'Enabled: False'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Configure storage of
BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery
passwords and key packages'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of smart cards on removable data drives' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Configure storage
of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery
passwords and key packages'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of smart cards on fixed data drives: Require use of smart cards on fixed data
drives' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Allow standby
states (S1-S3) when sleeping (on battery)' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Allow standby
states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Configure storage of
BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery
passwords and key packages'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Allow Secure
Boot for integrity validation' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Do not enable BitLocker
until recovery information is stored to AD DS for removable data drives' is set
to 'Enabled: False'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered' is set to
'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Prevent
installation of devices using drivers that match these device setup classes' is
set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of passwords for fixed data drives' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of hardware-based encryption for fixed data drives' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Interactive
logon: Machine account lockout threshold' is set to '10 or fewer invalid logon
attempts, but not 0'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of passwords for removable data drives' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Save BitLocker recovery
information to AD DS for fixed data drives' is set to 'Enabled: False' </span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of passwords for operating system drives' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of smart cards on fixed data drives' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected removable drives can be recovered: Omit recovery options
from the BitLocker setup wizard' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Configure use
of hardware-based encryption for operating system drives' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Disable new
DMA devices when this computer is locked' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Deny write
access to removable drives not protected by BitLocker' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected operating system drives can be recovered: Omit recovery
options from the BitLocker setup wizard' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered: Omit recovery options from
the BitLocker setup wizard' is set to 'Enabled: True'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Choose how
BitLocker-protected fixed drives can be recovered' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Prevent
installation of devices using drivers that match these device setup classes:
Also apply to matching devices that are already installed.' is set to 'True'
(checked)</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Prevent
installation of devices that match any of these device IDs' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Prevent
installation of devices that match any of these device IDs: Also apply to
matching devices that are already installed.' is set to 'True' (checked)</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(BL) Ensure 'Prevent
installation of devices that match any of these device IDs: Prevent
installation of devices that match any of these device IDs' is set to
'PCI\CC_0C0A'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:none;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""> </span></p>
<p class="MsoNormal" style="margin:14pt 0in 0.0001pt 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><b><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">UPDATED</span></b><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Enable
Certificate Padding' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Enable App
Installer' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Configures
LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI
Lock'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Configure the
transmission of the user's password in the content of MPR notifications sent by
winlogon.' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Create
symbolic links' is set to 'Administrators'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L2) Ensure 'Log on as a
service' is configured</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Configure RPC
packet level privacy setting for incoming connections' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="margin:14pt 0in 0.0001pt 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><b><span lang="EN" style="font-size:10pt;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">DELETED</span></b><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""></span></b></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Turn off
Microsoft Defender AntiVirus' is set to 'Disabled'</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 1in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">o<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">(L1) Ensure 'Only display
the private store within the Microsoft Store' is set to 'Enabled'</span></p>
<p class="MsoNormal" style="line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;margin:0in;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""> </span></p>
<p class="MsoNormal" style="margin:14pt 0in 0.0001pt 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Both analysis and
remediation checks are included</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Some of the checks allow
you to use the parameterized setting to enable customization for compliance
evaluation. Note that parameterization and remediation actions require the
creation of a custom site.</span></p>
<p class="MsoNormal" style="margin:0in 0in 0in 0.5in;line-height:normal;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""> </span></p>
<p class="MsoNormal" style="line-height:normal;margin:0in;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">Actions to take:</span></b><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue""></span></b></p>
<p class="MsoNormal" style="margin:14pt 0in 14pt 0.5in;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:12pt">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman""> </span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">To subscribe to the
above site, you can use the License Overview Dashboard to enable and gather the
site. Note that you must be entitled to the BigFix Compliance product, and you
must be using BigFix version 10 and later</span><span lang="EN" style="font-size:12pt">.</span><span lang="EN" style="font-size:12pt"></span></p>
<p class="MsoNormal" style="margin:6pt 0in 0.0001pt 0.5in;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-family:Calibri,sans-serif;color:rgb(5,99,193)">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">If you use custom sites,
update your custom sites accordingly to use the latest content. You can
synchronize your content by using the Synchronize Custom Checks wizard. For
more information, see </span><u><span lang="EN" style="font-family:Calibri,sans-serif;color:rgb(5,99,193)"></span></u></p>
<p class="MsoNormal" style="margin:0in 0in 14pt 0.5in;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN"><a href="https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html"><span style="font-family:Calibri,sans-serif;color:rgb(5,99,193)">https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html</span></a></span><u><span lang="EN" style="font-family:Calibri,sans-serif;color:rgb(5,99,193)"></span></u></p>
<p class="MsoNormal" style="line-height:normal;margin:0in;font-size:11pt;font-family:Arial,sans-serif"><b><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">More information:</span></b><b><span lang="EN" style="font-size:10pt;font-family:Calibri,sans-serif"> </span></b><span lang="EN" style="font-size:10pt;font-family:Calibri,sans-serif"><br>
</span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">To know more about the BigFix Compliance SCM checklists, please
see the following resources:</span><b><span lang="EN" style="font-size:10pt;font-family:Calibri,sans-serif"></span></b></p>
<p class="MsoNormal" style="margin:6pt 0in 0.0001pt 0.5in;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-family:Calibri,sans-serif;color:rgb(5,99,193)">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">BigFix Forum:<br>
</span><span lang="EN"><a href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0"><span style="font-family:Calibri,sans-serif;color:rgb(5,99,193)">https://forum.bigfix.com/c/release-announcements/compliance</span></a></span><u><span lang="EN" style="font-family:Calibri,sans-serif;color:rgb(5,99,193)"></span></u></p>
<p class="MsoNormal" style="margin:0in 0in 6pt 0.5in;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10pt;font-family:"Times New Roman",serif">●<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">BigFix Compliance SCM
Checklists:</span><span lang="EN" style="font-size:10pt;font-family:Calibri,sans-serif"><br>
</span><span lang="EN"><a href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0"><span style="font-family:Calibri,sans-serif;color:rgb(5,99,193)">https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists</span></a></span><span lang="EN" style="font-size:10pt;font-family:"Times New Roman",serif"></span></p>
<p class="MsoNormal" style="margin:0in 0in 12pt;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">We hope
you find this latest release of SCM content useful and effective. Thank you!</span><span lang="EN" style="font-size:10.5pt;font-family:Calibri,sans-serif"></span></p>
<p class="MsoNormal" style="margin:0in 0in 12pt;line-height:normal;font-size:11pt;font-family:Arial,sans-serif"><i><span lang="EN" style="font-size:10.5pt;font-family:"Helvetica Neue"">– The BigFix Compliance
team</span></i><i><span lang="EN" style="font-size:10pt;font-family:Calibri,sans-serif"></span></i></p>
<p class="MsoNormal" style="margin:0in;line-height:115%;font-size:11pt;font-family:Arial,sans-serif"><span lang="EN"> </span></p></div>