Control updates introduced for CIS Microsoft Windows 10 Enterprise Benchmark v2.0.0

The Compliance Enforcement Module (CEM) for Windows v1.5.0 introduces enforcement for Center for Internet Security (CIS) Microsoft Windows Enterprise 10 Benchmark v2.0.0. The transition from the previous CIS Benchmark, v1.12.0, to the new benchmark resulted in module updates.

  • Added
    • The following CIS controls are added in this release:
      • 1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
      • 18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
      • 18.4.6 (L1) Ensure 'LSA Protection' is set to 'Enabled'
      • 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
      • 18.7.2 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
      • 18.7.3 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
      • 18.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
      • 18.7.5 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
      • 18.7.6 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher
      • 18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
      • 18.7.9 (L1) Ensure 'Manage processing of Queuespecific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
      • 18.9.25.1 (L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
      • 18.10.17.1 (L1) Ensure 'Enable App Installer' is set to 'Disabled'
      • 18.10.17.2 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
      • 18.10.17.3 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
      • 18.10.17.4 (L1) Ensure 'Enable App Installer msappinstaller protocol' is set to 'Disabled'
      • 18.10.82.1 (L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'
  • Changed
    • The following CIS controls were updated:
      • 18.9.89 'Allow Windows Ink Workspace' now has expected values of 'Enabled: On, but disallow access above lock' or 'Enabled: Disabled'.
      • 18.10.87 (L1) 'Turn on PowerShell Transcription' was set to 'Disabled' but now has an expected value of 'Enabled'.
      • 18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' has a new number: 18.7.8.
  • Removed
    • The following CIS controls were removed:
      • 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
      • 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher