Windows security baseline for Windows Server 2025

Note

This page applies specifically to the Azure Security Baseline for Windows Server 2025 and not for any other server editions. This baseline supports the new Customizeable Machine Configuration Security Baseline experience so you may modify the content of the baseline from including/excluding rules to setting different values.

This article details the configuration settings for Windows guests as applicable in the following implementations:

Windows machines should meet requirements for the Azure compute security baseline Azure Policy guest configuration definition
Vulnerabilities in security configuration on your machines should be remediated in Microsoft Defender for Cloud

For the remediation checks and suggestions we took a best practices approach - however please always ensure that the commands will be tested and not applied blindly in any production environment.

The new release of the policy for both audit and remediation is powered by OSConfig our engine.

For more information, see Azure Policy guest configuration and Overview of the Azure Security Benchmark (V2).

General security controls

Name	Description	Severity	Expected Value
AfdDisableAddressSharing	Control Name: System Services Afd DisableAddressSharing Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Afd\Parameters Registry Value: DisableAddressSharing Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AllowAnonymousSIDOrNameTranslation (CCE-10024-8)	Control Name: Network access: Allow anonymous SID/Name translation CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_AllowAnonymousSIDOrNameTranslation CSP Value Type: Integer	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
AllowCustomSSPAPIntoLSASS	Control Name: Allow Custom SSPs and APs to be loaded into LSASS Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: AllowCustomSSPsAPs Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AllowedToFormatAndEjectRemovableMedia (CCE-37701-0)	Control Name: Devices: Allowed to format and eject removable media Registry Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Registry Value: AllocateDASD Registry Value Type: REG_SZ CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia CSP Value Type: String	Warning	Domain Controller = "OneOf(Equals('0'), Equals(''))" Member Server = "OneOf(Equals('0'), Equals(''))" Workgroup Member = "OneOf(Equals('0'), Equals(''))"
AllowICMPRedirectsToOverrideOSPFGeneratedRoutes (AZ-WIN-73503)	Control Name: MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Registry Value: EnableICMPRedirect Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
AllowLocalSystemNULLSessionFallback (CCE-37035-3)	Control Name: Network security: Allow LocalSystem NULL session fallback Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Registry Value: allownullsessionfallback Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemNULLSessionFallback CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
AllowLocalSystemToUseComputerIdentityForNTLM (CCE-38341-4)	Control Name: Network security: Allow Local System to use computer identity for NTLM Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: UseMachineId Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AllowPKU2UAuthenticationAllowOnlineID (CCE-38047-7)	Control Name: Network Security: Allow PKU2U authentication requests to this computer to use online identities Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u Registry Value: AllowOnlineID Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AllowSystemToBeShutDownWithoutHavingToLogOn (CCE-36788-8)	Control Name: Shutdown: Allow system to be shut down without having to log on Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: ShutdownWithoutLogon Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn CSP Value Type: Integer	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers (AZ-WIN-202214)	Control Name: MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters Registry Value: NoNameReleaseOnDemand Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AllowUIAccessApplicationsToPromptForElevation (CCE-36863-9)	Control Name: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: EnableUIADesktopToggle Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
AmountOfIdleTimeRequiredBeforeSuspendingSession (CCE-38046-9)	Control Name: Microsoft network server: Amount of idle time required before suspending session Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: AutoDisconnect Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession CSP Value Type: Integer	Critical	Domain Controller = "Range(1, 15)" Member Server = "Range(1, 15)" Workgroup Member = "Range(1, 15)"
ApplicationIdentityStartupType	Control Name: Application Identity Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\AppIDSvc Registry Value: Start Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(2)" Member Server = "Equals(2)" Workgroup Member = "Equals(2)"
ApplicationManagementMSIAllowUserControlOverInstall (CCE-36400-0)	Control Name: Allow user control over installs Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer Registry Value: EnableUserControl Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/ApplicationManagement/MSIAllowUserControlOverInstall CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ApplicationManagementMSIAlwaysInstallWithElevatedPrivileges (CCE-37490-0)	Control Name: Always install with elevated privileges Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer Registry Value: AlwaysInstallElevated Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges CSP Value Type: Integer	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ApplyUACRestrictionsToLocalAccountsOnNetworkLogon (AZ-WIN-73495)	Control Name: Apply UAC restrictions to local accounts on network logons Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: LocalAccountTokenFilterPolicy Registry Value Type: REG_DWORD	Critical	Member Server = "Equals(0)"
AppRuntimeAllowMicrosoftAccountsToBeOptional (CCE-38354-7)	Control Name: Allow Microsoft accounts to be optional Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: MSAOptional Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditAccountLockout (CCE-37133-6)	Control Name: Audit Account Lockout CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogonLogoff_AuditAccountLockout CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(2), Equals(3))" Member Server = "OneOf(Equals(2), Equals(3))" Workgroup Member = "OneOf(Equals(2), Equals(3))"
AuditAuthenticationPolicyChange (CCE-38327-3)	Control Name: Audit Authentication Policy Change CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/PolicyChange_AuditAuthenticationPolicyChange CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditAuthorizationPolicyChange (CCE-36320-0)	Control Name: Audit Authorization Policy Change CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/PolicyChange_AuditAuthorizationPolicyChange CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditBackupAndRestorePrivilege	Control Name: Audit the use of Backup and Restore privilege Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: FullPrivilegeAuditing Registry Value Type: REG_BINARY CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Audit_AuditTheUseOfBackupAndRestoreprivilege CSP Value Type: Binary	Critical	Domain Controller = "Equals('MDA=')" Member Server = "Equals('MDA=')" Workgroup Member = "Equals('MDA=')"
AuditClientDoesNotSupportEncryption	Control Name: Audit client does not support encryption Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: AuditClientDoesNotSupportEncryption Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditClientDoesNotSupportSigning	Control Name: Audit client does not support signing Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: AuditClientDoesNotSupportSigning Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditComputerAccountManagement (CCE-38004-8)	Control Name: Audit Computer Account Management CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountManagement_AuditComputerAccountManagement CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))"
AuditCredentialValidation (CCE-37741-6)	Control Name: Audit Credential Validation CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogon_AuditCredentialValidation CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditDetailedFileShare (AZ-WIN-00100)	Control Name: Audit Detailed File Share CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/ObjectAccess_AuditDetailedFileShare CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(2), Equals(3))" Member Server = "OneOf(Equals(2), Equals(3))" Workgroup Member = "OneOf(Equals(2), Equals(3))"
AuditDirectoryServiceAccess (CCE-37433-0)	Control Name: Audit Directory Service Access CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/DSAccess_AuditDirectoryServiceAccess CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(2), Equals(3))"
AuditDirectoryServiceChanges (CCE-37616-0)	Control Name: Audit Directory Service Changes CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/DSAccess_AuditDirectoryServiceChanges CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))"
AuditDirectoryServiceReplication (AZ-WIN-00093)	Control Name: Audit Directory Service Replication CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/DSAccess_AuditDirectoryServiceReplication CSP Value Type: Integer	Critical	Domain Controller = "Range(0, )"
AuditDistributionGroupManagement (CCE-36265-7)	Control Name: Audit Distribution Group Management CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountManagement_AuditDistributionGroupManagement CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))"
AuditFileShare (AZ-WIN-00102)	Control Name: Audit File Share CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/ObjectAccess_AuditFileShare CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditGroupMembership (AZ-WIN-00026)	Control Name: Audit Group Membership CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogonLogoff_AuditGroupMembership CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditInsecureGuestLogon	Control Name: Audit insecure guest logon Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanServer Registry Value: AuditInsecureGuestLogon Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditIPsecDriver (CCE-37853-9)	Control Name: Audit IPsec Driver CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/System_AuditIPsecDriver CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditKerberosAuthenticationService (AZ-WIN-00004)	Control Name: Audit Kerberos Authentication Service CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogon_AuditKerberosAuthenticationService CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)"
AuditKerberosServiceTicketOperations (AZ-WIN-00005)	Control Name: Audit Kerberos Service Ticket Operations CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogon_AuditKerberosServiceTicketOperations CSP Value Type: Integer	Critical	Domain Controller = "Equals(2)"
AuditLogoff (CCE-38237-4)	Control Name: Audit Logoff CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogonLogoff_AuditLogoff CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditLogon (CCE-38036-0)	Control Name: Audit Logon CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogonLogoff_AuditLogon CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditMPSSVCRuleLevelPolicyChange (AZ-WIN-00111)	Control Name: Audit MPSSVC Rule-Level Policy Change CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditOtherAccountManagementEvents (CCE-37855-4)	Control Name: Audit Other Account Management Events CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountManagement_AuditOtherAccountManagementEvents CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))"
AuditOtherLogonLogoffEvents (CCE-36322-6)	Control Name: Audit Other Logon/Logoff Events CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditOtherObjectAccessEvents (AZ-WIN-00113)	Control Name: Audit Other Object Access Events CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditOtherPolicyChangeEvents (AZ-WIN-00114)	Control Name: Audit events generated by other security policy changes that are not audited in the policy change category CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(2), Equals(3))" Member Server = "OneOf(Equals(2), Equals(3))" Workgroup Member = "OneOf(Equals(2), Equals(3))"
AuditOtherSystemEvents (CCE-38030-3)	Control Name: Audit Other System Events CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/System_AuditOtherSystemEvents CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditPnPExternalDevice (AZ-WIN-00182)	Control Name: Audit when plug and play detects an external device CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/DetailedTracking_AuditPNPActivity CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditPolicyChange (CCE-38028-7)	Control Name: Audit Policy Change CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/PolicyChange_AuditPolicyChange CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditProcessCreatedOrStarted (CCE-36059-4)	Control Name: Audit Events generated when a process is created or starts CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/DetailedTracking_AuditProcessCreation CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditRemovableStorage (CCE-37617-8)	Control Name: Audit Removable Storage CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/ObjectAccess_AuditRemovableStorage CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditSecurityGroupManagement (CCE-38034-5)	Control Name: Audit Security Group Management CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountManagement_AuditSecurityGroupManagement CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditSecurityStateChange (CCE-38114-5)	Control Name: Audit Security State Change CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/System_AuditSecurityStateChange CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditSecuritySystemExtension (CCE-36144-4)	Control Name: Audit Security System Extension CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/System_AuditSecuritySystemExtension CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditSensitivePrivilegeUse (CCE-36267-3)	Control Name: Audit Sensitive Privilege Use CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditServerDoesNotSupportEncryption	Control Name: Audit server does not support encryption Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanServer Registry Value: AuditServerDoesNotSupportEncryption Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditServerDoesNotSupportSigning	Control Name: Audit server does not support signing Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanServer Registry Value: AuditServerDoesNotSupportSigning Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditSettingsIncludeCmdLine (CCE-36925-6)	Control Name: Include command line in process creation events Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit Registry Value: ProcessCreationIncludeCmdLine_Enabled Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AuditSpecialLogon (CCE-36266-5)	Control Name: Audit Special Logon CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountLogonLogoff_AuditSpecialLogon CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
AuditSystemIntegrity (CCE-37132-8)	Control Name: Audit System Integrity CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/System_AuditSystemIntegrity CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AuditUserAccountManagement (CCE-37856-2)	Control Name: Audit User Account Management CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Audit/AccountManagement_AuditUserAccountManagement CSP Value Type: Integer	Critical	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
AutoplayDisallowAutoplayForNonVolumeDevices (CCE-37636-8)	Control Name: Disallow Autoplay for non-volume devices Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Registry Value: NoAutoplayfornonVolume Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AutoplaySetDefaultAutoRunBehavior (CCE-38217-6)	Control Name: Set the default behavior for AutoRun Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Registry Value: NoAutorun Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AutoplayTurnOffAutoPlay (CCE-36875-3)	Control Name: Turn off Autoplay Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Registry Value: NoDriveTypeAutoRun Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(255)" Member Server = "Equals(255)" Workgroup Member = "Equals(255)"
BehaviorOfTheElevationPromptForAdministrators (CCE-37029-6)	Control Name: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: ConsentPromptBehaviorAdmin Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators CSP Value Type: Integer	Critical	Domain Controller = "Range(1, 2)" Member Server = "Range(1, 2)" Workgroup Member = "Range(1, 2)"
BehaviorOfTheElevationPromptForStandardUsers (CCE-36864-7)	Control Name: User Account Control: Behavior of the elevation prompt for standard users Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: ConsentPromptBehaviorUser Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
BlockConsumerMicrosoftAccounts (AZ-WIN-20198)	Control Name: Block all consumer Microsoft account user authentication Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount Registry Value: DisableUserAuth Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
BlockNetbiosDiscovery	Control Name: Block NetBIOS-based discovery for domain controller location Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Netlogon\Parameters Registry Value: BlockNetbiosDiscovery Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
BlockNTLM	Control Name: Block NTLM (LM NTLM NTLMv2) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: BlockNTLM Registry Value Type: REG_DWORD	Important	Domain Controller = "Range(0, 1)" Member Server = "Range(0, 1)" Workgroup Member = "Range(0, 1)"
BlockNTLMServerExceptionList	Control Name: Block NTLM Server Exception List Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: BlockNTLMServerExceptionList Registry Value Type: REG_MULTI_SZ	Informational	Domain Controller = "OneOf(Equals(''), Equals(null))" Member Server = "OneOf(Equals(''), Equals(null))" Workgroup Member = "OneOf(Equals(''), Equals(null))"
ClearVirtualMemoryPageFile (AZ-WIN-00181)	Control Name: Shutdown: Clear virtual memory pagefile Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Registry Value: ClearPageFileAtShutdown Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile CSP Value Type: Integer	Critical	Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ConfigureDNSClientNETBIOS	Control Name: Configure NetBIOS settings Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient Registry Value: EnableNetbios Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
ConfigureKernelShadowStacksLaunch	Control Name: Turn On Virtualization Based Security KernelShadowStackLaunch Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Registry Value: ConfigureKernelShadowStacksLaunch Registry Value Type: REG_DWORD	Warning	Domain Controller = "Range(1, 2)" Member Server = "Range(1, 2)" Workgroup Member = "Range(1, 2)"
ConfigureSMBV1ClientDriver (AZ-WIN-00150)	Control Name: Configure SMB v1 client driver Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10 Registry Value: Start Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(4)" Member Server = "Equals(4)" Workgroup Member = "Equals(4)"
ConfigureSMBV1Server (AZ-WIN-00175)	Control Name: Disable SMB v1 server Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: SMB1 Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ConnectivityDisableDownloadingOfPrintDriversOverHTTP (CCE-36625-2)	Control Name: Turn off downloading of print drivers over HTTP Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers Registry Value: DisableWebPnPDownload Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
ConnectivityProhibitInstallationAndConfigurationOfNetworkBridge (CCE-38002-2)	Control Name: Prohibit installation and configuration of Network Bridge on your DNS domain network Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections Registry Value: NC_AllowNetBridge_NLA Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
CredentialProvidersAllowPINLogon (CCE-37528-7)	Control Name: Turn on convenience PIN sign-in Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: AllowDomainPINLogon Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
CredentialsDelegationRemoteHostAllowsDelegationOfNonExportableCredentials (AZ-WIN-20199)	Control Name: Remote host allows delegation of non-exportable credentials Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation Registry Value: AllowProtectedCreds Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
CredentialsUIDisablePasswordReveal (CCE-37534-5)	Control Name: Do not display the password reveal button Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredUI Registry Value: DisablePasswordReveal Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
CredentialsUIEnumerateAdministrators (CCE-36512-2)	Control Name: Enumerate administrator accounts on elevation Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Registry Value: EnumerateAdministrators Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
CredSspAllowEncryptionOracle (AZ-WIN-201910)	Control Name: Encryption Oracle Remediation for CredSSP protocol Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters Registry Value: AllowEncryptionOracle Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
CryptographyAllowedKerberosEncryptionTypes (CCE-37755-6)	Control Name: Network Security: Configure encryption types allowed for Kerberos Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Registry Value: SupportedEncryptionTypes Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(2147483624), Equals(2147483632), Equals(2147483640))" Member Server = "OneOf(Equals(2147483624), Equals(2147483632), Equals(2147483640))" Workgroup Member = "OneOf(Equals(2147483624), Equals(2147483632), Equals(2147483640))"
CryptographyEccCurve	Control Name: SSL Cryptography EccCurves Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 Registry Value: EccCurves Registry Value Type: REG_MULTI_SZ	Critical	Domain Controller = "ContainsAtMost('NistP256','NistP384')" Member Server = "ContainsAtMost('NistP256','NistP384')" Workgroup Member = "ContainsAtMost('NistP256','NistP384')"
CryptographyForceStrongKeyProtection (AZ-WIN-73699)	Control Name: System Cryptography: Force strong key protection for user keys stored on the computer Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography Registry Value: ForceKeyProtection Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Cryptography/ConfigureSystemCryptographyForceStrongKeyProtection CSP Value Type: Integer	Important	Domain Controller = "Equals(2)" Member Server = "Equals(2)" Workgroup Member = "Equals(2)"
CryptographySSLCipherSuites (AZ-WIN-00153)	Control Name: SSL Cryptography Cipher suites Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 Registry Value: Functions Registry Value Type: REG_SZ	Critical	(Domain Controller = "ContainsAtMost('TLS_AES_128_GCM_SHA256','TLS_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384')", Member Server = "ContainsAtMost('TLS_AES_128_GCM_SHA256','TLS_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384')", Workgroup Member = "ContainsAtMost('TLS_AES_128_GCM_SHA256','TLS_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384')")
DetectApplicationInstallationsAndPromptForElevation (CCE-36533-8)	Control Name: User Account Control: Detect application installations and prompt for elevation Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: EnableInstallerDetection Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DeviceGuardLsaCfgFlags (AZ-WIN-73515)	Control Name: Turn on CredentialGuard Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: LsaCfgFlags Registry Value Type: REG_DWORD	Critical	Member Server = "Range(1, 2)" Workgroup Member = "Range(1, 2)"
DeviceGuardRequireMicrosoftSignedBootChain	Control Name: Secured-Core Require MicrosoftSignedBootChain Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard Registry Value: RequireMicrosoftSignedBootChain Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DeviceGuardRequirePlatformSecurityFeatures (AZ-WIN-73513)	Control Name: Secured-Core Require Platform Security (Secure Boot, DMA) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Registry Value: RequirePlatformSecurityFeatures Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceGuard/RequirePlatformSecurityFeatures CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(3))" Member Server = "OneOf(Equals(1), Equals(3))" Workgroup Member = "OneOf(Equals(1), Equals(3))"
DeviceGuardRequireUEFIMemoryAttributesTable	Control Name: Secured-Core Require UEFI Memory Attribute Table Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Registry Value: HVCIMATRequired Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DeviceInstallationPreventDeviceMetadataFromNetwork (AZ-WIN-202251)	Control Name: Prevent device metadata retrieval from the Internet Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata Registry Value: PreventDeviceMetadataFromNetwork Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DeviceLockAccountLockoutPolicy	Control Name: Account lockout policy CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/AccountLockoutPolicy CSP Value Type: String	Critical	Domain Controller = "AllOf(Pattern('ResetAccountLockoutCounterAfter:[1][5-9]│[2-9]\d│[1-9]\d{2,}'), Pattern('AccountLockoutDuration:[1][5-9]│[2-9]\d│[1-9]\d{2,}'), Pattern('AccountLockoutThreshold:[1-3]'))" Member Server = "AllOf(Pattern('ResetAccountLockoutCounterAfter:[1][5-9]│[2-9]\d│[1-9]\d{2,}'), Pattern('AccountLockoutDuration:[1][5-9]│[2-9]\d│[1-9]\d{2,}'), Pattern('AccountLockoutThreshold:[1-3]'))" Workgroup Member = "AllOf(Pattern('ResetAccountLockoutCounterAfter:[1][5-9]│[2-9]\d│[1-9]\d{2,}'), Pattern('AccountLockoutDuration:[1][5-9]│[2-9]\d│[1-9]\d{2,}'), Pattern('AccountLockoutThreshold:[1-3]'))"
DeviceLockClearTextPassword (CCE-36286-3)	Control Name: Store passwords using reversible encryption CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/ClearTextPassword CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
DeviceLockMaximumPasswordAge (CCE-37167-4)	Control Name: Maximum password age CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/MaximumPasswordAge CSP Value Type: Integer	Critical	Domain Controller = "Range(1, 60)" Member Server = "Range(1, 60)" Workgroup Member = "Range(1, 70)"
DeviceLockMinimumPasswordAge (CCE-37073-4)	Control Name: Minimum password age CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/MinimumPasswordAge CSP Value Type: Integer	Critical	Domain Controller = "Range(1, )" Member Server = "Range(1, )" Workgroup Member = "Range(1, )"
DeviceLockMinimumPasswordLength (CCE-36534-6)	Control Name: Minimum password length CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/MinimumPasswordLength CSP Value Type: Integer	Critical	Member Server = "Range(14, )" Workgroup Member = "Range(14, )"
DeviceLockPasswordComplexity (CCE-37063-5)	Control Name: Password must meet complexity requirements CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/PasswordComplexity CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DeviceLockPasswordHistorySize (CCE-37166-6)	Control Name: Enforce password history CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DeviceLock/PasswordHistorySize CSP Value Type: Integer	Critical	Domain Controller = "Equals(24)" Member Server = "Equals(24)" Workgroup Member = "Equals(24)"
DeviceLockPreventEnablingLockScreenCamera (CCE-38347-1)	Control Name: Prevent enabling lock screen camera Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization Registry Value: NoLockScreenCamera Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DeviceLockPreventLockScreenSlideShow (CCE-38348-9)	Control Name: Prevent enabling lock screen slide show Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization Registry Value: NoLockScreenSlideshow Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DigitallyEncryptOrSignSecureChannelDataAlways (CCE-36142-8)	Control Name: Domain member: Digitally encrypt or sign secure channel data (always) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Registry Value: RequireSignOrSeal Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
DigitallyEncryptSecureChannelDataWhenPossible (CCE-37130-2)	Control Name: Domain member: Digitally encrypt secure channel data (when possible) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Registry Value: SealSecureChannel Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
DigitallySignCommunicationsAlwaysClient (CCE-36325-9)	Control Name: Microsoft network client: Digitally sign communications (always) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters Registry Value: RequireSecuritySignature Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DigitallySignCommunicationsAlwaysServer (CCE-37864-6)	Control Name: Microsoft network server: Digitally sign communications (always) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: RequireSecuritySignature Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DigitallySignCommunicationsIfClientAgrees (CCE-35988-5)	Control Name: Microsoft network server: Digitally sign communications (if client agrees) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: EnableSecuritySignature Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DigitallySignCommunicationsIfServerAgrees (CCE-36269-9)	Control Name: Microsoft network client: Digitally sign communications (if server agrees) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters Registry Value: EnableSecuritySignature Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DigitallySignSecureChannelDataWhenPossible (CCE-37222-7)	Control Name: Domain member: Digitally sign secure channel data (when possible) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Registry Value: SignSecureChannel Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
DisableLocalAccountPasswordChanges (CCE-37508-9)	Control Name: Domain member: Disable machine account password changes Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Registry Value: DisablePasswordChange Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)"
DisableSMBv1Client (AZ-WIN-00122)	Control Name: Disable SMB v1 client (remove dependency on LanmanWorkstation) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation Registry Value: DependOnService Registry Value Type: REG_MULTI_SZ	Critical	Domain Controller = "ContainsAtMost('Bowser', 'MRxSmb20', 'NSI')" Member Server = "ContainsAtMost('Bowser', 'MRxSmb20', 'NSI')" Workgroup Member = "ContainsAtMost('Bowser', 'MRxSmb20', 'NSI')"
DisconnectClientsWhenLogonHoursExpire (CCE-37972-7)	Control Name: Microsoft network server: Disconnect clients when logon hours expire Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: EnableForcedLogOff Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DmaGuardDeviceEnumerationPolicy	Control Name: Enumeration policy for external devices incompatible with Kernel DMA Protection Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection Registry Value: DeviceEnumerationPolicy Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/DmaGuard/DeviceEnumerationPolicy CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(1))" Member Server = "OneOf(Equals(0), Equals(1))" Workgroup Member = "OneOf(Equals(0), Equals(1))"
DnsClientTurn_Off_Multicast (AZ-WIN-00145)	Control Name: Turn off multicast name resolution Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient Registry Value: EnableMulticast Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
DODownloadMode (AZ-WIN-93259)	Control Name: Delivery Optimization: Download Mode Methods Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization Registry Value: DODownloadMode Registry Value Type: REG_DWORD	Informational	Domain Controller = "OneOf(Equals(0), Equals(1), Equals(2), Equals(99), Equals(100))" Member Server = "OneOf(Equals(0), Equals(1), Equals(2), Equals(99), Equals(100))" Workgroup Member = "OneOf(Equals(0), Equals(1), Equals(2), Equals(99), Equals(100))"
DoNotAllowAnonymousEnumerationOfSAMAccounts (CCE-36316-8)	Control Name: Network access: Do not allow anonymous enumeration of SAM accounts Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: RestrictAnonymousSAM Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
DoNotAllowAnonymousEnumerationOfSamAccountsAndShares (CCE-36077-6)	Control Name: Network access: Do not allow anonymous enumeration of SAM accounts and shares Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: RestrictAnonymous Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DoNotDisplayLastSignedIn (CCE-36056-0)	Control Name: Interactive logon: Do not display last user name Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: DontDisplayLastUserName Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
DoNotRequireCTRLALTDEL (CCE-37637-6)	Control Name: Interactive logon: Do not require CTRL+ALT+DEL Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: DisableCAD Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
EnableAuthEpResolution (CCE-37346-4)	Control Name: Enable RPC Endpoint Mapper Client Authentication Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc Registry Value: EnableAuthEpResolution Registry Value Type: REG_DWORD	Critical	Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
EnableAuthRateLimiter	Control Name: Enable authentication rate limiter Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanServer Registry Value: EnableAuthRateLimiter Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
EnableAuthRateLimiterTimeout	Control Name: Enable authentication rate limiter (Delay Timeout) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: InvalidAuthenticationDelayTimeInMs Registry Value Type: REG_DWORD	Informational	Domain Controller = "Range(2000, 5000)" Member Server = "Range(2000, 5000)" Workgroup Member = "Range(2000, 5000)"
EnabledNTPClient (CCE-37843-0)	Control Name: Enable Windows NTP Client Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient Registry Value: Enabled Registry Value Type: REG_DWORD	Critical	Workgroup Member = "Equals(1)"
EnableGuestAccountStatus (CCE-37432-2)	Control Name: Accounts: Guest account status CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
EnableMailslotsLanmanServer	Control Name: Enable remote mailslots (Lanman Server) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Browser Registry Value: EnableMailslots Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
EnableMailslotsLanmanWorkstation	Control Name: Enable remote mailslots (Lanman Workstation) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider Registry Value: EnableMailslots Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
EnableStructuredExceptionHandlingOverwriteProtection (AZ-WIN-202210)	Control Name: Enable Structured Exception Handling Overwrite Protection (SEHOP) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel Registry Value: DisableExceptionChainValidation Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
EncryptNTFSPagingFile	Control Name: System Policies NtfsEncryptPagingFile Registry Key: HKLM:\SYSTEM\CurrentControlSet\Policies Registry Value: NtfsEncryptPagingFile Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
EventLogChannelSecurityLogRetention (CCE-37145-0)	Control Name: Security: Control Event Log behavior when the log file reaches its maximum size Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security Registry Value: Retention Registry Value Type: REG_SZ	Critical	Domain Controller = "OneOf(Equals('0'), Equals(null))" Member Server = "OneOf(Equals('0'), Equals(null))" Workgroup Member = "OneOf(Equals('0'), Equals(null))"
EventLogChannelSetupLogMaxSize (CCE-37526-1)	Control Name: Setup: Specify the maximum log file size (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup Registry Value: MaxSize Registry Value Type: REG_DWORD	Critical	Domain Controller = "Range(32768, )" Member Server = "Range(32768, )" Workgroup Member = "Range(32768, )"
EventLogChannelSetupLogRetention (CCE-38276-2)	Control Name: Setup: Control Event Log behavior when the log file reaches its maximum size Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup Registry Value: Retention Registry Value Type: REG_SZ	Critical	Domain Controller = "OneOf(Equals('0'), Equals(null))" Member Server = "OneOf(Equals('0'), Equals(null))" Workgroup Member = "OneOf(Equals('0'), Equals(null))"
EventLogChannelSystemLogRetention (CCE-36160-0)	Control Name: System: Control Event Log behavior when the log file reaches its maximum size Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System Registry Value: Retention Registry Value Type: REG_SZ	Critical	Domain Controller = "OneOf(Equals('0'), Equals(null))" Member Server = "OneOf(Equals('0'), Equals(null))" Workgroup Member = "OneOf(Equals('0'), Equals(null))"
EventLogPercentageThresholdSecurityEventLogMaximumSizeReached (AZ-WIN-202212)	Control Name: MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security Registry Value: WarningLevel Registry Value Type: REG_DWORD	Informational	Domain Controller = "Range(50, 90)" Member Server = "Range(50, 90)" Workgroup Member = "Range(50, 90)"
EventLogServiceControlEventLogBehavior (CCE-37775-4)	Control Name: Application: Control Event Log behavior when the log file reaches its maximum size Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application Registry Value: Retention Registry Value Type: REG_SZ	Critical	Domain Controller = "OneOf(Equals('0'), Equals(null))" Member Server = "OneOf(Equals('0'), Equals(null))" Workgroup Member = "OneOf(Equals('0'), Equals(null))"
EventLogServiceSpecifyMaximumFileSizeApplicationLog (CCE-37948-7)	Control Name: Application: Specify the maximum log file size (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application Registry Value: MaxSize Registry Value Type: REG_DWORD	Critical	Domain Controller = "Range(32768, )" Member Server = "Range(32768, )" Workgroup Member = "Range(32768, )"
EventLogServiceSpecifyMaximumFileSizeSecurityLog (CCE-37695-4)	Control Name: Security: Specify the maximum log file size (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security Registry Value: MaxSize Registry Value Type: REG_DWORD	Critical	Domain Controller = "Range(196608, )" Member Server = "Range(196608, )" Workgroup Member = "Range(196608, )"
EventLogServiceSpecifyMaximumFileSizeSystemLog (CCE-36092-5)	Control Name: System: Specify the maximum log file size (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System Registry Value: MaxSize Registry Value Type: REG_DWORD	Critical	Domain Controller = "Range(32768, )" Member Server = "Range(32768, )" Workgroup Member = "Range(32768, )"
ExperienceAllowWindowsConsumerFeatures (AZ-WIN-00144)	Control Name: Turn off Microsoft consumer experiences Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent Registry Value: DisableWindowsConsumerFeatures Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Experience/AllowWindowsConsumerFeatures CSP Value Type: Integer	Warning	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
ExperienceDisableConsumerAccountStateContent (AZ-WIN-202217)	Control Name: Turn off cloud consumer account state content Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent Registry Value: DisableConsumerAccountStateContent Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Experience/DisableConsumerAccountStateContent CSP Value Type: Integer	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
ExperienceDoNotShowFeedbackNotifications (AZ-WIN-00140)	Control Name: Do not show feedback notifications Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection Registry Value: DoNotShowFeedbackNotifications Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FileExplorerTurnOffHeapTerminationOnCorruption (CCE-36660-9)	Control Name: Turn off heap termination on corruption Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Registry Value: NoHeapTerminationOnCorruption Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
FirewallDomainProfileApplyLocalConnectionSecurityRules (CCE-38040-2)	Control Name: Windows Firewall: Domain: Settings: Apply local connection security rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: AllowLocalIPsecPolicyMerge Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
FirewallDomainProfileApplyLocalFirewallRules (CCE-37860-4)	Control Name: Windows Firewall: Domain: Settings: Apply local firewall rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: AllowLocalPolicyMerge Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))"
FirewallDomainProfileDisplayNotification (CCE-38041-0)	Control Name: Windows Firewall: Domain: Settings: Display a notification Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: DisableNotifications Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
FirewallDomainProfileInboundConnection (AZ-WIN-202252)	Control Name: Windows Firewall: Domain: Inbound connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: DefaultInboundAction Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
FirewallDomainProfileLogDroppedPackets (AZ-WIN-202226)	Control Name: Windows Firewall: Domain: Logging: Log dropped packets Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging Registry Value: LogDroppedPackets Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
FirewallDomainProfileLogFileMaxSize (AZ-WIN-202225)	Control Name: Windows Firewall: Domain: Logging: Size limit (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging Registry Value: LogFileSize Registry Value Type: REG_DWORD	Warning	Domain Controller = "Range(16384, )" Member Server = "Range(16384, )"
FirewallDomainProfileLogFileName (AZ-WIN-202224)	Control Name: Windows Firewall: Domain: Logging: Name Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging Registry Value: LogFilePath Registry Value Type: REG_SZ	Informational	Domain Controller = "Contains('.log')" Member Server = "Contains('.log')"
FirewallDomainProfileLogSuccessfulConnections (AZ-WIN-202227)	Control Name: Windows Firewall: Domain: Logging: Log successful connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging Registry Value: LogSuccessfulConnections Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
FirewallDomainProfileOutboundConnection (CCE-36146-9)	Control Name: Windows Firewall: Domain: Outbound connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: DefaultOutboundAction Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)"
FirewallDomainProfileState (CCE-36062-8)	Control Name: Windows Firewall: Domain: Firewall state Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: EnableFirewall Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
FirewallDomainProfileUnicastResponse (AZ-WIN-00088)	Control Name: Windows Firewall: Domain: Allow unicast response Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Registry Value: DisableUnicastResponsesToMulticastBroadcast Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)"
FirewallPrivateProfileApplyLocalConnectionSecurityRules (CCE-36063-6)	Control Name: Windows Firewall: Private: Settings: Apply local connection security rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: AllowLocalIPsecPolicyMerge Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileApplyLocalFirewallRules (CCE-37438-9)	Control Name: Windows Firewall: Private: Settings: Apply local firewall rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: AllowLocalPolicyMerge Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileDisplayNotification (CCE-37621-0)	Control Name: Windows Firewall: Private: Settings: Display a notification Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: DisableNotifications Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileInboundConnection (AZ-WIN-202228)	Control Name: Windows Firewall: Private: Inbound connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: DefaultInboundAction Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileLogDroppedPackets (AZ-WIN-202231)	Control Name: Windows Firewall: Private: Logging: Log dropped packets Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging Registry Value: LogDroppedPackets Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileLogFileMaxSize (AZ-WIN-202230)	Control Name: Windows Firewall: Private: Logging: Size limit (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging Registry Value: LogFileSize Registry Value Type: REG_DWORD	Warning	Domain Controller = "Range(16384, )" Member Server = "Range(16384, )" Workgroup Member = "Range(16384, )"
FirewallPrivateProfileLogFileName (AZ-WIN-202229)	Control Name: Windows Firewall: Private: Logging: Name Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging Registry Value: LogFilePath Registry Value Type: REG_SZ	Informational	Domain Controller = "Contains('.log')" Member Server = "Contains('.log')" Workgroup Member = "Contains('.log')"
FirewallPrivateProfileLogSuccessfulConnections (AZ-WIN-202232)	Control Name: Windows Firewall: Private: Logging: Log successful connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging Registry Value: LogSuccessfulConnections Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileOutboundConnection (CCE-38332-3)	Control Name: Windows Firewall: Private: Outbound connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: DefaultOutboundAction Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
FirewallPrivateProfileState (CCE-38239-0)	Control Name: Windows Firewall: Private: Firewall state Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: EnableFirewall Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPrivateProfileUnicastResponse (AZ-WIN-00089)	Control Name: Windows Firewall: Private: Allow unicast response Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile Registry Value: DisableUnicastResponsesToMulticastBroadcast Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
FirewallPublicProfileApplyLocalConnectionSecurityRules (CCE-36268-1)	Control Name: Windows Firewall: Public: Settings: Apply local connection security rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: AllowLocalIPsecPolicyMerge Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileApplyLocalFirewallRules (CCE-37861-2)	Control Name: Windows Firewall: Public: Settings: Apply local firewall rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: AllowLocalPolicyMerge Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileDisplayNotification (CCE-38043-6)	Control Name: Windows Firewall: Public: Settings: Display a notification Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: DisableNotifications Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileInboundConnection (AZ-WIN-202234)	Control Name: Windows Firewall: Public: Inbound connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: DefaultInboundAction Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileLogDroppedPackets (AZ-WIN-202237)	Control Name: Windows Firewall: Public: Logging: Log dropped packets Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging Registry Value: LogDroppedPackets Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileLogFileMaxSize (AZ-WIN-202236)	Control Name: Windows Firewall: Public: Logging: Size limit (KB) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging Registry Value: LogFileSize Registry Value Type: REG_DWORD	Informational	Domain Controller = "Range(16384, )" Member Server = "Range(16384, )" Workgroup Member = "Range(16384, )"
FirewallPublicProfileLogFileName (AZ-WIN-202235)	Control Name: Windows Firewall: Public: Logging: Name Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging Registry Value: LogFilePath Registry Value Type: REG_SZ	Informational	Domain Controller = "Contains('.log')" Member Server = "Contains('.log')" Workgroup Member = "Contains('.log')"
FirewallPublicProfileLogSuccessfulConnections (AZ-WIN-202233)	Control Name: Windows Firewall: Public: Logging: Log successful connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging Registry Value: LogSuccessfulConnections Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileOutboundConnection (CCE-37434-8)	Control Name: Windows Firewall: Public: Outbound connections Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: DefaultOutboundAction Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
FirewallPublicProfileState (CCE-37862-0)	Control Name: Windows Firewall: Public: Firewall state Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: EnableFirewall Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
FirewallPublicProfileUnicastResponse (AZ-WIN-00090)	Control Name: Windows Firewall: Public: Allow unicast response Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile Registry Value: DisableUnicastResponsesToMulticastBroadcast Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings (CCE-37850-5)	Control Name: Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: SCENoApplyLegacyAuditPolicy Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
GroupPolicyDisableBackgroundPolicy (CCE-14437-8)	Control Name: Turn off background refresh of Group Policy Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: DisableBkGndGroupPolicy Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)"
GroupPolicyEnableCDP (AZ-WIN-00170)	Control Name: Continue experiences on this device Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: EnableCdp Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
GroupPolicyNoBackgroundPolicy (CCE-36169-1)	Control Name: Configure registry policy processing: Do not apply during periodic background processing Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2} Registry Value: NoBackgroundPolicy Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
GroupPolicyNoGPOListChanges (CCE-36169-1a)	Control Name: Configure registry policy processing: Process even if the Group Policy objects have not changed Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2} Registry Value: NoGPOListChanges Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
ICMNC_ExitOnISP (CCE-37163-3)	Control Name: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard Registry Value: ExitOnMSICW Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
ImpersonateClient (AZ-WIN-73785)	Control Name: Impersonate a client after authentication CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ImpersonateClient CSP Value Type: String	Important	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-6', 'S-1-5-19', 'S-1-5-20')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-6', 'S-1-5-19', 'S-1-5-20')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-6', 'S-1-5-19', 'S-1-5-20')"
IPSourceRoutingProtectionLevel (AZ-WIN-202244)	Control Name: MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Registry Value: DisableIPSourceRouting Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(2)" Member Server = "Equals(2)" Workgroup Member = "Equals(2)"
IPv6SourceRoutingProtectionLevel (AZ-WIN-202213)	Control Name: MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters Registry Value: DisableIPSourceRouting Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(2)" Member Server = "Equals(2)" Workgroup Member = "Equals(2)"
KDCHashAlgorithms	Control Name: Configure hash algorithms for certificate logon (KDC) Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Registry Value: PKINITHashAlgorithmConfigurationEnabled Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KDCHashAlgorithmsSHA1	Control Name: Configure hash algorithms for certificate logon (KDC) - SHA1 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Registry Value: PKINITSHA1 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KDCHashAlgorithmsSHA256	Control Name: Configure hash algorithms for certificate logon (KDC) - SHA256 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Registry Value: PKINITSHA256 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KDCHashAlgorithmsSHA384	Control Name: Configure hash algorithms for certificate logon (KDC) - SHA384 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Registry Value: PKINITSHA384 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KDCHashAlgorithmsSHA512	Control Name: Configure hash algorithms for certificate logon (KDC) - SHA512 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Registry Value: PKINITSHA512 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KerberosHashAlgorithms	Control Name: Configure hash algorithms for certificate logon (Kerberos) Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Registry Value: PKINITHashAlgorithmConfigurationEnabled Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KerberosHashAlgorithmsSHA1	Control Name: Configure hash algorithms for certificate logon (Kerberos) - SHA1 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Registry Value: PKINITSHA1 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KerberosHashAlgorithmsSHA256	Control Name: Configure hash algorithms for certificate logon (Kerberos) - SHA256 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Registry Value: PKINITSHA256 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KerberosHashAlgorithmsSHA384	Control Name: Configure hash algorithms for certificate logon (Kerberos) - SHA384 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Registry Value: PKINITSHA384 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
KerberosHashAlgorithmsSHA512	Control Name: Configure hash algorithms for certificate logon (Kerberos) - SHA512 Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Registry Value: PKINITSHA512 Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
LANManagerAuthenticationLevel (CCE-36173-3)	Control Name: Network security: LAN Manager authentication level Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: LmCompatibilityLevel Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel CSP Value Type: Integer	Critical	Domain Controller = "Equals(5)" Member Server = "Equals(5)" Workgroup Member = "Equals(5)"
LanmanWorkstationEnableInsecureGuestLogons (AZ-WIN-00171)	Control Name: Enable insecure guest logons Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: AllowInsecureGuestAuth Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LanmanWorkstation/EnableInsecureGuestLogons CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
LDAPClientSigningRequirements (CCE-36858-9)	Control Name: Network security: LDAP client signing requirements Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP Registry Value: LDAPClientIntegrity Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_LDAPClientSigningRequirements CSP Value Type: Integer	Critical	Domain Controller = "Range(1, 2)" Member Server = "Range(1, 2)" Workgroup Member = "Range(1, 2)"
LDAPServerChannelBindingTokenRequirements	Control Name: Domain controller: LDAP server channel binding token requirements Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry Value: LdapEnforceChannelBinding Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(2)"
LDAPServerLDAPServerIntegritySigningRequirementsEnforcement	Control Name: Domain controller: LDAP server signing requirements enforcement Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry Value: LDAPServerEnforceIntegrity Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)"
LetEveryonePermissionsApplyToAnonymousUsers (CCE-36148-5)	Control Name: Network access: Let Everyone permissions apply to anonymous users Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: EveryoneIncludesAnonymous Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly (CCE-37615-2)	Control Name: Accounts: Limit local account use of blank passwords to console logon only Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: LimitBlankPasswordUse Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
LogonBlockUserFromShowingAccountDetailsOnSignin (AZ-WIN-00138)	Control Name: Block user from showing account details on sign-in Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: BlockUserFromShowingAccountDetailsOnSignin Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
LogonDontEnumerateConnectedUsers (AZ-WIN-202216)	Control Name: Do not enumerate connected users on domain-joined computers Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: DontEnumerateConnectedUsers Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
LSAPPLProtection	Control Name: Enable LSA PPL Protection Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: RunAsPPL Registry Value Type: REG_DWORD	Critical	Domain Controller = "Range(1, 2)" Member Server = "Range(1, 2)" Workgroup Member = "Range(1, 2)"
MachineInactivityLimit (AZ-WIN-73645)	Control Name: Interactive logon: Machine inactivity limit Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: InactivityTimeoutSecs Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit CSP Value Type: Integer	Important	Domain Controller = "Range(1, 900)" Member Server = "Range(1, 900)" Workgroup Member = "Range(1, 900)"
MaximumMachineAccountPasswordAge (CCE-37431-4)	Control Name: Domain member: Maximum machine account password age Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Registry Value: MaximumPasswordAge Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge CSP Value Type: Integer	Critical	Domain Controller = "Equals(30)" Member Server = "Equals(30)"
MessageTextUserLogon (AZ-WIN-202253)	Control Name: Interactive logon: Message text for users attempting to log on Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: LegalNoticeText Registry Value Type: REG_SZ	Warning	Domain Controller = "Not(OneOf(Equals(''), Equals(null)))" Member Server = "Not(OneOf(Equals(''), Equals(null)))" Workgroup Member = "Not(OneOf(Equals(''), Equals(null)))"
MessageTextUserLogonTitle (AZ-WIN-20225)	Control Name: Interactive logon: Message title for users attempting to log on Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: LegalNoticeCaption Registry Value Type: REG_SZ	Warning	Domain Controller = "Not(OneOf(Equals(''), Equals(null)))" Member Server = "Not(OneOf(Equals(''), Equals(null)))" Workgroup Member = "Not(OneOf(Equals(''), Equals(null)))"
MinimumSessionSecurityForNTLMSSPBasedClients (CCE-37553-5)	Control Name: Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Registry Value: NTLMMinClientSec Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients CSP Value Type: Integer	Critical	Domain Controller = "Equals(537395200)" Member Server = "Equals(537395200)" Workgroup Member = "Equals(537395200)"
MinimumSessionSecurityForNTLMSSPBasedServers (CCE-37835-6)	Control Name: Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Registry Value: NTLMMinServerSec Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers CSP Value Type: Integer	Critical	Domain Controller = "Equals(537395200)" Member Server = "Equals(537395200)" Workgroup Member = "Equals(537395200)"
MinimumSMBClientVersion	Control Name: Mandate the minimum version of SMB Client Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: MinSmb2Dialect Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(768),Equals(770),Equals(785))" Member Server = "OneOf(Equals(768),Equals(770),Equals(785))" Workgroup Member = "OneOf(Equals(768),Equals(770),Equals(785))"
MinimumSMBServerVersion	Control Name: Mandate the minimum version of SMB Server Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanServer Registry Value: MinSmb2Dialect Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(768),Equals(770),Equals(785))" Member Server = "OneOf(Equals(768),Equals(770),Equals(785))" Workgroup Member = "OneOf(Equals(768),Equals(770),Equals(785))"
MitigationOptionsFontBlocking	Control Name: WindowsNT MitigationOptions MitigationOptions FontBocking Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions Registry Value: MitigationOptions_FontBocking Registry Value Type: REG_SZ	Critical	Domain Controller = "Equals('1000000000000')" Member Server = "Equals('1000000000000')" Workgroup Member = "Equals('1000000000000')"
NetBTNodeTypeConfiguration (AZ-WIN-202211)	Control Name: NetBT NodeType configuration Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters Registry Value: NodeType Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(2)" Member Server = "Equals(2)"
NetworkConnectionsNC_ShowSharedAccessUI (AZ-WIN-00172)	Control Name: Prohibit use of Internet Connection Sharing on your DNS domain network Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections Registry Value: NC_ShowSharedAccessUI Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
NetworkProviderHardenedPathsNETLOGON (AZ-WIN-202250)	Control Name: Hardened UNC Paths - NETLOGON Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths Registry Value: \*\NETLOGON Registry Value Type: REG_SZ	Warning	Domain Controller = "OneOf(Equals('RequireMutualAuthentication=1, RequireIntegrity=1') ,Equals('RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1'))" Member Server = "OneOf(Equals('RequireMutualAuthentication=1, RequireIntegrity=1') ,Equals('RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1'))"
NetworkProviderHardenedPathsSYSVOL (AZ-WIN-202251)	Control Name: Hardened UNC Paths - SYSVOL Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths Registry Value: \*\SYSVOL Registry Value Type: REG_SZ	Warning	Domain Controller = "OneOf(Equals('RequireMutualAuthentication=1, RequireIntegrity=1'), Equals('RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1'))" Member Server = "OneOf(Equals('RequireMutualAuthentication=1, RequireIntegrity=1'), Equals('RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1'))"
NetworkSecurityForceLogoffWhenLogonHoursExpire	Control Name: Network security: Force logoff when logon hours expire CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkSecurity_ForceLogoffWhenLogonHoursExpire CSP Value Type: Integer	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations (CCE-37057-7)	Control Name: User Account Control: Only elevate UIAccess applications that are installed in secure locations Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: EnableSecureUIAPaths Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
OverrideMinimumEnabledDTLSVersionClient	Control Name: Override Minimum Enabled DTLS Version Client CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Cryptography/OverrideMinimumEnabledDTLSVersionClient CSP Value Type: String	Important	Domain Controller = "Equals('1.2')" Member Server = "Equals('1.2')" Workgroup Member = "Equals('1.2')"
OverrideMinimumEnabledDTLSVersionServer	Control Name: Override Minimum Enabled DTLS Version Server CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Cryptography/OverrideMinimumEnabledDTLSVersionServer CSP Value Type: String	Critical	Domain Controller = "Equals('1.2')" Member Server = "Equals('1.2')" Workgroup Member = "Equals('1.2')"
OverrideMinimumEnabledTLSVersionClient	Control Name: Override Minimum Enabled TLS Version Client CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Cryptography/OverrideMinimumEnabledTLSVersionClient CSP Value Type: String	Critical	Domain Controller = "OneOf(Equals('1.2'),Equals('1.3'))" Member Server = "OneOf(Equals('1.2'),Equals('1.3'))" Workgroup Member = "OneOf(Equals('1.2'),Equals('1.3'))"
OverrideMinimumEnabledTLSVersionServer	Control Name: Override Minimum Enabled TLS Version Server CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Cryptography/OverrideMinimumEnabledTLSVersionServer CSP Value Type: String	Critical	Domain Controller = "OneOf(Equals('1.2'),Equals('1.3'))" Member Server = "OneOf(Equals('1.2'),Equals('1.3'))" Workgroup Member = "OneOf(Equals('1.2'),Equals('1.3'))"
PowerShellExecutionPolicyEnableTranscripting (AZ-WIN-202208)	Control Name: Turn on PowerShell Transcription Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription Registry Value: EnableTranscripting Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters (CCE-37942-0)	Control Name: Devices: Prevent users from installing printer drivers Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers Registry Value: AddPrinterDrivers Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters CSP Value Type: Integer	Warning	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
PrintersRestrictDriverInstallationToAdministrators (AZ-WIN-202202)	Control Name: Limits print driver installation to Administrators Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint Registry Value: RestrictDriverInstallationToAdministrators Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
PrivacyAllowInputPersonalization (AZ-WIN-00168)	Control Name: Allow Input Personalization Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization Registry Value: AllowInputPersonalization Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/Privacy/AllowInputPersonalization CSP Value Type: Integer	Warning	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
PromptUserToChangePasswordBeforeExpiration (CCE-10930-6)	Control Name: Interactive logon: Prompt user to change password before expiration Registry Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon Registry Value: PasswordExpiryWarning Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/InteractiveLogon_PromptUserToChangePasswordBeforeExpiration CSP Value Type: Integer	Informational	Domain Controller = "Range(5, 14)" Member Server = "Range(5, 14)" Workgroup Member = "Range(5, 14)"
RDPPortNumber (AZ-WIN-00156)	Control Name: Detect change from default RDP port Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp Registry Value: PortNumber Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(3389)" Member Server = "Equals(3389)" Workgroup Member = "Equals(3389)"
RecoveryConsoleAllowFloppyCopyAndAllDrives (AZ-WIN-00148)	Control Name: Recovery console: Allow floppy copy and access to all drives and all folders Registry Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole Registry Value: SetCommand Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders CSP Value Type: Integer	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
RefuseMachineAccountPasswordChanged	Control Name: Domain controller: Refuse machine account password changes Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry Value: RefusePasswordChange Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)"
RemoteAssistanceSolicitedRemoteAssistance (CCE-37281-3)	Control Name: Configure Solicited Remote Assistance Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: fAllowToGetHelp Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
RemoteAssistanceUnsolicitedRemoteAssistance (CCE-36388-7)	Control Name: Configure Offer Remote Assistance Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: fAllowUnsolicited Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
RemoteDesktopServicesClientConnectionEncryptionLevel (CCE-36627-8)	Control Name: Set client connection encryption level Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: MinEncryptionLevel Registry Value Type: REG_DWORD	Critical	Domain Controller = "Range(3,4)" Member Server = "Range(3,4)" Workgroup Member = "Range(3,4)"
RemoteDesktopServicesDoNotAllowDriveRedirection (AZ-WIN-73569)	Control Name: Do not allow drive redirection Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: fDisableCdm Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RemoteDesktopServicesDoNotAllowPasswordSaving (CCE-36223-6)	Control Name: Do not allow passwords to be saved Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: DisablePasswordSaving Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RemoteDesktopServicesPromptForPasswordUponConnection (CCE-37929-7)	Control Name: Always prompt for password upon connection Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: fPromptForPassword Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RemoteDesktopServicesRequireSecureRPCCommunication (CCE-37567-5)	Control Name: Require secure RPC communication Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: fEncryptRPCTraffic Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RemotelyAccessibleRegistryPaths (CCE-37194-8)	Control Name: Network access: Remotely accessible registry paths Registry Key: HKLM:\SYSTEM\CurrentControlSet\SecurePipeServers\WinReg\AllowedExactPaths Registry Value: Machine Registry Value Type: REG_MULTI_SZ CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPaths CSP Value Type: MultiString	Critical	Domain Controller = "OneOf(Equals('System\CurrentControlSet\Control \ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion'), Equals(''))" Member Server = "OneOf(Equals('System\CurrentControlSet\Control \ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion'), Equals(''))" Workgroup Member = "OneOf(Equals('System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control \Server Applications,Software\Microsoft\Windows NT\CurrentVersion'), Equals(''))"
RemotelyAccessibleRegistryPathsAndSubpaths (CCE-36347-3)	Control Name: Network access: Remotely accessible registry paths and sub-paths Registry Key: HKLM:\SYSTEM\CurrentControlSet\SecurePipeServers\WinReg\AllowedPaths Registry Value: Machine Registry Value Type: REG_MULTI_SZ CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths CSP Value Type: MultiString	Critical	Domain Controller = "OneOf(Equals('System\CurrentControlSet\Control\Print\Printers,System \CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control \Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog'), Equals(''))" Member Server = "OneOf(Equals('System\CurrentControlSet\Control\Print\Printers,System \CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control \Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog'), Equals(''))" Workgroup Member = "OneOf(Equals('System\CurrentControlSet\Control\Print\Printers,System \CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control \ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog'), Equals(''))"
RemoteManagementAllowBasicAuthentication_Client (CCE-36254-1)	Control Name: Remote management (WinRM) Allow Basic authentication Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Registry Value: AllowBasic Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
RemoteManagementAllowBasicAuthentication_Service (AZ-WIN-73599)	Control Name: Remote management (WinRM) Allow Basic authentication - Service Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Registry Value: AllowBasic Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
RemoteManagementAllowRemoteServerManagement	Control Name: Allow remote server management through WinRM Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Registry Value: AllowAutoConfig Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RemoteManagementAllowRemoteServerManagement_IPv4Filter	Control Name: Allow remote server management through WinRM-IPv4Filter Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Registry Value: IPv4Filter Registry Value Type: REG_SZ	Informational	Domain Controller = "ContainsAtLeast('')" Member Server = "ContainsAtLeast('')" Workgroup Member = "ContainsAtLeast('*')"
RemoteManagementAllowRemoteServerManagement_IPv6Filter	Control Name: Allow remote server management through WinRM-IPv6Filter Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Registry Value: IPv6Filter Registry Value Type: REG_SZ	Informational	Domain Controller = "ContainsAtLeast('')" Member Server = "ContainsAtLeast('')" Workgroup Member = "ContainsAtLeast('*')"
RemoteManagementAllowUnencryptedTraffic_Client (CCE-38223-4)	Control Name: Remote management (WinRM) Allow unencrypted traffic Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Registry Value: AllowUnencryptedTraffic Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
RemoteManagementAllowUnencryptedTraffic_Service (AZ-WIN-73601)	Control Name: Remote management (WinRM) Allow unencrypted traffic - Service Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Registry Value: AllowUnencryptedTraffic Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
RemoteManagementDisallowDigestAuthentication (CCE-38318-2)	Control Name: Remote management (WinRM) Disallow Digest authentication Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Registry Value: AllowDigest Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(0)" Member Server = "Equals(0)" Workgroup Member = "Equals(0)"
RemoteManagementDisallowStoringOfRunAsCredentials (CCE-36000-8)	Control Name: Remote management (WinRM) Disallow WinRM from storing RunAs credentials Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Registry Value: DisableRunAs Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RemoteProcedureCallRestrictUnauthenticatedRPCClients (AZ-WIN-73541)	Control Name: Restrict Unauthenticated RPC clients Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc Registry Value: RestrictRemoteClients Registry Value Type: REG_DWORD	Critical	Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RenameAdministratorAccount (CCE-10976-9)	Control Name: Accounts: Rename administrator account CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount CSP Value Type: String	Warning	Domain Controller = "Not(Equals('Administrator'))" Member Server = "Not(Equals('Administrator'))" Workgroup Member = "Not(Equals('Administrator'))"
RenameGuestAccount (AZ-WIN-202255)	Control Name: Accounts: Rename guest account CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount CSP Value Type: String	Warning	Domain Controller = "Not(Equals('Guest'))" Member Server = "Not(Equals('Guest'))" Workgroup Member = "Not(Equals('Guest'))"
RequireCaseInsensitivityForNonWindowsSubsystems (CCE-37885-1)	Control Name: System objects: Require case insensitivity for non-Windows subsystems Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel Registry Value: ObCaseInsensitive Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems CSP Value Type: Integer	Warning	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
RequireEncryption	Control Name: Require Encryption Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation Registry Value: RequireEncryption Registry Value Type: REG_DWORD	Warning	Domain Controller = "Range(0, 1)" Member Server = "Range(0, 1)" Workgroup Member = "Range(0, 1)"
RequireStrongSessionKey (CCE-37614-5)	Control Name: Domain member: Require strong (Windows 2000 or later) session key Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry Value: RequireStrongKey Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
RestrictAnonymousAccessToNamedPipesAndShares (CCE-36021-4)	Control Name: Network access: Restrict anonymous access to Named Pipes and Shares Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: RestrictNullSessAccess Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(1), Equals(null))" Member Server = "OneOf(Equals(1), Equals(null))" Workgroup Member = "OneOf(Equals(1), Equals(null))"
RestrictClientsAllowedToMakeRemoteCallsToSAM (AZ-WIN-00142)	Control Name: Network access: Restrict clients allowed to make remote calls to SAM Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: RestrictRemoteSAM Registry Value Type: REG_SZ CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM CSP Value Type: String	Critical	Member Server = "OneOf(Equals('O:BAG:BAD:(A;;RC;;;BA)'), Equals(''))" Workgroup Member = "OneOf(Equals('O:BAG:BAD:(A;;RC;;;BA)'), Equals(''))"
RSSDisableEnclosureDownload (CCE-37126-0)	Control Name: Prevent downloading of enclosures Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds Registry Value: DisableEnclosureDownload Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
RunAllAdministratorsInAdminApprovalMode (CCE-36869-6)	Control Name: User Account Control: Run all administrators in Admin Approval Mode Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: EnableLUA Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SafeDllSearchMode (AZ-WIN-202215)	Control Name: MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager Registry Value: SafeDllSearchMode Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SAMRPCPasswordChangePolicy	Control Name: Configure SAM change password RPC methods policy Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM Registry Value: SamrChangeUserPasswordApiPolicy Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(2)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SearchAllowIndexingEncryptedStoresOrItems (CCE-38277-0)	Control Name: Allow indexing of encrypted files Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search Registry Value: AllowIndexingEncryptedStoresOrItems Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
SendUnencryptedPasswordToThirdPartySMBServers (CCE-37863-8)	Control Name: Microsoft network client: Send unencrypted password to third-party SMB servers Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters Registry Value: EnablePlainTextPassword Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ServerSPNTargetNameValidationLevel (CCE-10617-9)	Control Name: Microsoft network server: Server SPN target name validation level Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: SmbServerNameHardeningLevel Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel CSP Value Type: Integer	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)"
SharesThatCanBeAccessedAnonymously (CCE-38095-6)	Control Name: Network access: Shares that can be accessed anonymously Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Registry Value: NullSessionShares Registry Value Type: REG_MULTI_SZ CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_SharesThatCanBeAccessedAnonymously CSP Value Type: MultiString	Critical	Domain Controller = "OneOf(Equals(''), Equals(null))" Member Server = "OneOf(Equals(''), Equals(null))" Workgroup Member = "OneOf(Equals(''), Equals(null))"
SharingAndSecurityModelForLocalAccounts (CCE-37623-6)	Control Name: Network access: Sharing and security model for local accounts Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: ForceGuest Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/NetworkAccess_SharingAndSecurityModelForLocalAccounts CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ShellDataExecutionPrevention (CCE-37809-1)	Control Name: Turn off Data Execution Prevention for Explorer Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Registry Value: NoDataExecutionPrevention Registry Value Type: REG_DWORD	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
ShutdownSystemImmediatelyIfUnableToLogSecurityAudits (CCE-35907-5)	Control Name: Audit: Shut down system immediately if unable to log security audits Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Registry Value: CrashOnAuditFail Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits CSP Value Type: Integer	Critical	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
SmartCardRemovalBehavior (AZ-WIN-73807)	Control Name: Interactive logon: Smart card removal behavior Registry Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Registry Value: ScRemoveOption Registry Value Type: REG_SZ CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior CSP Value Type: String	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SmartScreenEnableSmartScreenInShell (CCE-35859-8)	Control Name: Configure Windows Defender SmartScreen Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: EnableSmartScreen Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SmartScreenPreventOverrideForFilesInShell	Control Name: Configure Windows Defender SmartScreen - Warn and Prevent bypass (Added) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: ShellSmartScreenLevel Registry Value Type: REG_SZ	Important	Domain Controller = "Equals('Block')" Member Server = "Equals('Block')" Workgroup Member = "Equals('Block')"
StrengthenDefaultPermissionsOfInternalSystemObjects (CCE-37644-2)	Control Name: System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Registry Key: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager Registry Value: ProtectionMode Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SwitchToTheSecureDesktopWhenPromptingForElevation (CCE-36866-2)	Control Name: User Account Control: Switch to the secure desktop when prompting for elevation Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: PromptOnSecureDesktop Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SystemAllowTelemetry (AZ-WIN-00169)	Control Name: Allow Diagnostic Data Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection Registry Value: AllowTelemetry Registry Value Type: REG_DWORD	Warning	Domain Controller = "Range(0, 1)" Member Server = "Range(0, 1)" Workgroup Member = "Range(0, 1)"
SystemBootStartDriverInitialization (CCE-37912-3)	Control Name: Boot-Start Driver Initialization Policy Registry Key: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch Registry Value: DriverLoadPolicy Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(8),Equals(1),Equals(3),Equals(null))" Member Server = "OneOf(Equals(8),Equals(1),Equals(3),Equals(null))" Workgroup Member = "OneOf(Equals(8),Equals(1),Equals(3),Equals(null))"
SystemEnableSoftwareRestrictionPolicies (AZ-WIN-00155)	Control Name: System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Registry Value: AuthenticodeEnabled Registry Value Type: REG_DWORD	Warning	Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
SystemLogonCacheSize (AZ-WIN-73651)	Control Name: Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available) Registry Key: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Registry Value: CachedLogonsCount Registry Value Type: REG_SZ	Informational	Member Server = "Range(0, 4)"
SystemMinimizeInternetConnections (CCE-38338-0)	Control Name: Minimize the number of simultaneous connections to the Internet or a Windows Domain Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy Registry Value: fMinimizeConnections Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(3)" Member Server = "Equals(3)" Workgroup Member = "Equals(3)"
SystemWindowsSearchService (AZ-WIN-00176)	Control Name: Disable Windows Search Service Registry Key: HKLM:\SYSTEM\CurrentControlSet\Services\Wsearch Registry Value: Start Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(4)" Member Server = "Equals(4)" Workgroup Member = "Equals(4)"
TerminalServerTS_TEMP_DELETE (CCE-37946-1)	Control Name: Do not delete temp folders upon exit Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: DeleteTempDirsOnExit Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
TerminalServerTS_TEMP_PER_SESSION (CCE-38180-6)	Control Name: Do not use temporary folders per session Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: PerSessionTempDir Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
TerminalServerTS_USER_AUTHENTICATION_POLICY (AZ-WIN-00149)	Control Name: Require user authentication for remote connections by using Network Level Authentication Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry Value: UserAuthentication Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
TurnOff_Windows_Error_Reporting (AZ-WIN-73543)	Control Name: Turn off Inventory Collector Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat Registry Value: DisableInventory Registry Value Type: REG_DWORD	Informational	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
TurnOffPrintingOverHTTP (AZ-WIN-73529)	Control Name: Turn off printing over HTTP Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers Registry Value: DisableHTTPPrinting Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
UseAdminApprovalMode (CCE-36494-3)	Control Name: User Account Control: Admin Approval Mode for the Built-in Administrator account Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: FilterAdministratorToken Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
UserRightsAccessCredentialManagerAsTrustedCaller (CCE-37056-9)	Control Name: Access Credential Manager as a trusted caller CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/AccessCredentialManagerAsTrustedCaller CSP Value Type: String	Warning	Domain Controller = "Equals('')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsAccessFromNetwork (CCE-35818-4)	Control Name: Access this computer from the network CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/AccessFromNetwork CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-11', 'S-1-5-9')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-11')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', '*S-1-5-11')"
UserRightsActAsPartOfTheOperatingSystem (CCE-36876-1)	Control Name: Act as part of the operating system CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ActAsPartOfTheOperatingSystem CSP Value Type: String	Critical	Domain Controller = "Equals('')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsAdjustMemoryQuotasForProcess (CCE-10849-8)	Control Name: Adjust memory quotas for a process CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/AdjustMemoryQuotasForProcess CSP Value Type: String	Warning	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19', 'S-1-5-20')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19', 'S-1-5-20')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19', '*S-1-5-20')"
UserRightsAllowLocalLogOn (CCE-37659-0)	Control Name: Allow log on locally CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/AllowLocalLogOn CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-9')" Member Server = "ContainsAtMost('S-1-5-32-544')" Workgroup Member = "ContainsAtMost('S-1-5-32-544')"
UserRightsAllowLogOnThroughRemoteDesktop (CCE-37072-6)	Control Name: Allow log on through Remote Desktop Services CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/AllowLogOnThroughRemoteDesktop CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-555')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-555')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-555')"
UserRightsBackupFilesAndDirectories (CCE-35912-5)	Control Name: Back up files and directories CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/BackupFilesAndDirectories CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsBypassTraverseChecking (AZ-WIN-00184)	Control Name: Bypass traverse checking CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/BypassTraverseChecking CSP Value Type: String	Critical	Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-11', 'S-1-5-32-551', 'S-1-5-19', 'S-1-5-20')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-11', 'S-1-5-32-551', 'S-1-5-19', 'S-1-5-20')"
UserRightsChangeSystemTime (CCE-37452-0)	Control Name: Change the system time CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ChangeSystemTime CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-549', 'S-1-5-19')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-549', 'S-1-5-19')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-549', '*S-1-5-19')"
UserRightsChangeTimeZone (CCE-37700-2)	Control Name: Change the time zone CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ChangeTimeZone CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19')"
UserRightsCreateGlobalObjects (CCE-37453-8)	Control Name: Create global objects CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/CreateGlobalObjects CSP Value Type: String	Warning	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-6', 'S-1-5-19', 'S-1-5-20')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-6', 'S-1-5-19', 'S-1-5-20')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-6', 'S-1-5-19', 'S-1-5-20')"
UserRightsCreatePageFile (CCE-35821-8)	Control Name: Create a pagefile CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/CreatePageFile CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsCreatePermanentSharedObjects (CCE-36532-0)	Control Name: Create permanent shared objects CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/CreatePermanentSharedObjects CSP Value Type: String	Warning	Domain Controller = "Equals('')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsCreateSymbolicLinks (CCE-35823-4)	Control Name: Create symbolic links CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/CreateSymbolicLinks CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-83-0')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-83-0')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-83-0')"
UserRightsCreateToken (CCE-36861-3)	Control Name: Create a token object CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/CreateToken CSP Value Type: String	Warning	Domain Controller = "Equals('')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsDebugPrograms (AZ-WIN-73755)	Control Name: Debug programs CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/DebugPrograms CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsDenyAccessFromNetwork (CCE-37954-5)	Control Name: Deny access to this computer from the network CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/DenyAccessFromNetwork CSP Value Type: String	Critical	Domain Controller = "ContainsAtLeast('S-1-5-32-546')" Member Server = "ContainsAtLeast('S-1-5-32-546')" Workgroup Member = "ContainsAtLeast('*S-1-5-32-546')"
UserRightsDenyLocalLogOn (CCE-37146-8)	Control Name: Deny log on locally CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/DenyLocalLogOn CSP Value Type: String	Critical	Domain Controller = "ContainsAtLeast('S-1-5-32-546')" Member Server = "ContainsAtLeast('S-1-5-32-546')" Workgroup Member = "ContainsAtLeast('*S-1-5-32-546')"
UserRightsDenyLogOnAsBatchJob (CCE-36923-1)	Control Name: Deny log on as a batch job CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/DenyLogOnAsBatchJob CSP Value Type: String	Critical	Domain Controller = "ContainsAtLeast('S-1-5-32-546')" Member Server = "ContainsAtLeast('S-1-5-32-546')" Workgroup Member = "ContainsAtLeast('*S-1-5-32-546')"
UserRightsDenyLogOnAsService (CCE-36877-9)	Control Name: Deny log on as a service CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/DenyLogOnAsService CSP Value Type: String	Critical	Domain Controller = "ContainsAtLeast('S-1-5-32-546')" Member Server = "ContainsAtLeast('S-1-5-32-546')" Workgroup Member = "ContainsAtLeast('*S-1-5-32-546')"
UserRightsDenyRemoteDesktopServicesLogOn (CCE-36867-0)	Control Name: Deny log on through Remote Desktop Services CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/DenyRemoteDesktopServicesLogOn CSP Value Type: String	Critical	Domain Controller = "ContainsAtLeast('S-1-5-32-546')" Member Server = "ContainsAtLeast('S-1-5-32-546')" Workgroup Member = "ContainsAtLeast('*S-1-5-32-546')"
UserRightsEnableDelegation (CCE-36860-5)	Control Name: Enable computer and user accounts to be trusted for delegation CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/EnableDelegation CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('*S-1-5-32-544')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsGenerateSecurityAudits (CCE-37639-2)	Control Name: Generate security audits CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/GenerateSecurityAudits CSP Value Type: String	Critical	Domain Controller = "ContainsAtMost('S-1-5-19', 'S-1-5-20', 'S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415')" Member Server = "ContainsAtMost('S-1-5-19', 'S-1-5-20', 'S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415')" Workgroup Member = "ContainsAtMost('S-1-5-19', 'S-1-5-20', '*S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415')"
UserRightsIncreaseProcessWorkingSet (AZ-WIN-00185)	Control Name: Increase a process working set CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/IncreaseProcessWorkingSet CSP Value Type: String	Warning	Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-19')"
UserRightsIncreaseSchedulingPriority (CCE-38326-6)	Control Name: Increase scheduling priority CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/IncreaseSchedulingPriority CSP Value Type: String	Warning	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-90-0')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-90-0')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-90-0')"
UserRightsLoadUnloadDeviceDrivers (CCE-36318-4)	Control Name: Load and unload device drivers CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/LoadUnloadDeviceDrivers CSP Value Type: String	Warning	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-32-550')" Member Server = "ContainsAtMost('S-1-5-32-544')" Workgroup Member = "ContainsAtMost('S-1-5-32-544')"
UserRightsLockMemory (CCE-36495-0)	Control Name: Lock pages in memory CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/LockMemory CSP Value Type: String	Warning	Domain Controller = "Equals('')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsManageAuditingAndSecurityLog (CCE-35906-7)	Control Name: Manage auditing and security log CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ManageAuditingAndSecurityLog CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsManageVolume (CCE-36143-6)	Control Name: Perform volume maintenance tasks CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ManageVolume CSP Value Type: String	Warning	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsModifyFirmwareEnvironment (CCE-38113-7)	Control Name: Modify firmware environment values CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ModifyFirmwareEnvironment CSP Value Type: String	Warning	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsModifyObjectLabel (CCE-36054-5)	Control Name: Modify an object label CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ModifyObjectLabel CSP Value Type: String	Warning	Domain Controller = "Equals('')" Member Server = "Equals('')" Workgroup Member = "Equals('')"
UserRightsProfileSingleProcess (CCE-37131-0)	Control Name: Profile single process CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ProfileSingleProcess CSP Value Type: String	Warning	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsProfileSystemPerformance (CCE-36052-9)	Control Name: Profile system performance CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ProfileSystemPerformance CSP Value Type: String	Warning	Domain Controller = "ContainsAtMost('S-1-5-32-544', 'S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420')" Member Server = "ContainsAtMost('S-1-5-32-544', 'S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420')" Workgroup Member = "ContainsAtMost('S-1-5-32-544', 'S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420')"
UserRightsRemoteShutdown (CCE-37877-8)	Control Name: Force shutdown from a remote system CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/RemoteShutdown CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsReplaceProcessLevelToken (CCE-37430-6)	Control Name: Replace a process level token CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ReplaceProcessLevelToken CSP Value Type: String	Warning	Domain Controller = "ContainsAtMost('S-1-5-19', 'S-1-5-20')" Member Server = "ContainsAtMost('S-1-5-19', 'S-1-5-20')" Workgroup Member = "ContainsAtMost('S-1-5-19', 'S-1-5-20')"
UserRightsRestoreFilesAndDirectories (CCE-37613-7)	Control Name: Restore files and directories CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/RestoreFilesAndDirectories CSP Value Type: String	Warning	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsShutDownTheSystem (CCE-38328-1)	Control Name: Shut down the system CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/ShutDownTheSystem CSP Value Type: String	Warning	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
UserRightsTakeOwnership (CCE-38325-7)	Control Name: Take ownership of files or other objects CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/UserRights/TakeOwnership CSP Value Type: String	Critical	Domain Controller = "ContainsExactly('S-1-5-32-544')" Member Server = "ContainsExactly('S-1-5-32-544')" Workgroup Member = "ContainsExactly('*S-1-5-32-544')"
VirtualizeFileAndRegistryWriteFailuresToPerUserLocations (CCE-37064-3)	Control Name: User Account Control: Virtualize file and registry write failures to per-user locations Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: EnableVirtualization Registry Value Type: REG_DWORD CSP Name: ./Vendor/MSFT/Policy CSP Path: Config/LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations CSP Value Type: Integer	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WindowsExplorerShellProtocolProtectedModeTitle_2 (CCE-36809-2)	Control Name: Turn off shell protocol protected mode Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Registry Value: PreXPSP2ShellProtocolBehavior Registry Value Type: REG_DWORD	Warning	Domain Controller = "OneOf(Equals(0), Equals(null))" Member Server = "OneOf(Equals(0), Equals(null))" Workgroup Member = "OneOf(Equals(0), Equals(null))"
WindowsHelloAntiSpoofing	Control Name: Configure enhanced anti-spoofing Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures Registry Value: EnhancedAntiSpoofing Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WindowsLogonAllowAutomaticRestartSignOn (CCE-36977-7)	Control Name: Sign-in last interactive user automatically after a system-initiated restart Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: DisableAutomaticRestartSignOn Registry Value Type: REG_DWORD	Critical	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WindowsLogonConfigAutomaticRestartSignOn	Control Name: Sign-in and lock last interactive user automatically after a restart Registry Key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Value: AutomaticRestartSignOnConfig Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WindowsLogonDisableLockScreenAppNotifications (CCE-35893-7)	Control Name: Turn off app notifications on the lock screen Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: DisableLockScreenAppNotifications Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WindowsLogonDontDisplayNetworkSelectionUI (CCE-38353-9)	Control Name: Do not display network selection UI Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: DontDisplayNetworkSelectionUI Registry Value Type: REG_DWORD	Warning	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WindowsLogonEnumerateLocalUsersOnDomainJoinedComputers (AZ-WIN-202204)	Control Name: Enumerate local users on domain-joined computers Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Registry Value: EnumerateLocalUsers Registry Value Type: REG_DWORD	Warning	Member Server = "Equals(0)"
WindowsPowerShellTurnOnPowerShellScriptBlockLogging (AZ-WIN-73591)	Control Name: Turn on PowerShell Script Block Logging Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging Registry Value: EnableScriptBlockLogging Registry Value Type: REG_DWORD	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WinVerityTrustSignatureValidationVulnerabilityMitigation1 (AZ-WIN-202401)	Control Name: WinVerifyTrust Signature Validation vulnerability Mitigation 1 Registry Key: HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust\Config Registry Value: EnableCertPaddingCheck Registry Value Type: REG_SZ	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
WinVerityTrustSignatureValidationVulnerabilityMitigation2 (AZ-WIN-202402)	Control Name: WinVerifyTrust Signature Validation vulnerability Mitigation 2 Registry Key: HKLM:\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config Registry Value: EnableCertPaddingCheck Registry Value Type: REG_SZ	Important	Domain Controller = "Equals(1)" Member Server = "Equals(1)" Workgroup Member = "Equals(1)"
AllowDatagramProcessingOnWinServer	Control Name: This setting controls datagram processing for Network Protection is enabled on Server Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS Registry Value: AllowDatagramProcessingOnWinServer Registry Value Type: REG_DWORD	Important	Equals(0)
AllowNetworkProtectionOnWinServer	Control Name: This setting controls whether Network Protection is allows to be configured into block or Audit mode on Windows Server Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection Registry Value: AllowNetworkProtectionOnWinServer Registry Value Type: REG_DWORD	Important	Equals(1)
ASRBlockAbuseOfExploitedVulnerableSignedDrivers	Control Name: Block abuse of exploited vulnerable signed drivers Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 56a863a9-875e-4185-98a7-b882c64b5ce5 Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockAdobeReaderFromCreatingChildProcesses	Control Name: Block Adobe Reader from creating child processes Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRBlockEXEFromEmailClientAndWebmail	Control Name: Block executable content from email client and webmail Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRBlockEXEFromRunningUnlessTrusted	Control Name: Block executable files from running unless they meet a prevalence, age, or trusted list criterion Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 01443614-cd74-433a-b99e-2ecdc07bfc25 Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockJSVBSLaunchingDownloadedContent	Control Name: Block JavaScript or VBScript from launching downloaded executable content Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: d3e037e1-3eb8-44c8-a917-57927947596d Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockLSASSCredentialStealing	Control Name: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockOfficeApplicationsFromCreatingChildProcesses	Control Name: Block all Office applications from creating child processes Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: d4f940ab-401b-4efc-aadc-ad5f3c50688a Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRBlockOfficeCommunicationApplicationFromCreatingChildProcesses	Control Name: Block Office communication application from creating child processes Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 26190899-1602-49e8-8b27-eb1d0a1ce869 Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRBlockOfficeFromCreatingExecutableContent	Control Name: Block Office applications from creating executable content Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 3b576869-a4ec-4529-8536-b80a7769e899 Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRBlockOfficeFromInjectingCodeIntoProcesses	Control Name: Block Office applications from injecting code into other processes Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRBlockPersistenceThroughWMIEventSubscription	Control Name: Block persistence through WMI event subscription (File and folder exclusions not supported) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: e6db77e5-3df2-4cf1-b95a-636979351e5b Registry Value Type: REG_DWORD	Important	Equals(2)
ASRBlockPotentiallyObfuscatedScripts	Control Name: Block execution of potentially obfuscated scripts Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 5beb7efe-fd9a-4556-801d-275e5ffc04cc Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockProcessCreationFromPSExecAndWMICommands	Control Name: Block process creations originating from PSExec and WMI commands Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: d1e49aac-8f56-4280-b9ba-993a6d77406c Registry Value Type: REG_DWORD	Important	Equals(2)
ASRBlockRebootingMachineInSafeMode	Control Name: Block rebooting machine in Safe Mode (preview) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 33ddedf1-c6e0-47cb-833e-de6133960387 Registry Value Type: REG_DWORD	Important	Equals(2)
ASRBlockUntrustedAndUnsignedProcessesRunningFromUSB	Control Name: Block untrusted and unsigned processes that run from USB Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockUseOfCopiedOrImpersonatedSystemTools	Control Name: Block use of copied or impersonated system tools (preview) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb Registry Value Type: REG_DWORD	Important	Equals(2)
ASRBlockWebshellCreationForServers	Control Name: Block Webshell creation for Servers Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: a8f5898e-1dc8-49a9-9878-85004b8a61e6 Registry Value Type: REG_DWORD	Critical	Equals(1)
ASRBlockWIN32APIFromOfficeMacros	Control Name: Block Win32 API calls from Office macros Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Registry Value Type: REG_DWORD	Informational	Equals(0)
ASRUseAdvancedProtectionAgainstRansomware	Control Name: Use advanced protection against ransomware Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules Registry Value: c1db55ab-c21a-4637-bb3f-a12568109d35 Registry Value Type: REG_DWORD	Critical	Equals(1)
AttackSurfaceReductionRules (AZ-WIN-202205)	Control Name: Configure Attack Surface Reduction rules Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR Registry Value: ExploitGuard_ASR_Rules Registry Value Type: REG_DWORD	Critical	Equals(1)
DisableAntiSpyware	Control Name: Turn off Microsoft Defender AntiVirus Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: DisableAntiSpyware Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableAutoExclusions	Control Name: Turn off Auto Exclusions Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry Value: DisableAutoExclusions Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableBehaviorMonitoring	Control Name: Turn on behavior monitoring Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry Value: DisableBehaviorMonitoring Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableBlockAtFirstSeen	Control Name: Configure the 'Block at First Sight' feature Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet Registry Value: DisableBlockAtFirstSeen Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableEmailScanning	Control Name: Turn on e-mail scanning Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan Registry Value: DisableEmailScanning Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableIOAVProtection	Control Name: Scan all downloaded files and attachments Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry Value: DisableIOAVProtection Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableRealtimeMonitoring	Control Name: Turn off real-time protection Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry Value: DisableRealtimeMonitoring Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableRemovableDriveScanning	Control Name: Scan removable drives Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan Registry Value: DisableRemovableDriveScanning Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableRoutinelyTakingAction	Control Name: Turn off routine remediation Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: DisableRoutinelyTakingAction Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableScanOnUpdate	Control Name: Turn on scan after security intelligence update Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates Registry Value: DisableScanOnUpdate Registry Value Type: REG_DWORD	Critical	Equals(0)
DisableScriptScanning	Control Name: Turn on script scanning Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry Value: DisableScriptScanning Registry Value Type: REG_DWORD	Critical	Equals(0)
DisallowExploitProtectionOverride	Control Name: Prevent users from modifying settings Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection Registry Value: DisallowExploitProtectionOverride Registry Value Type: REG_DWORD	Critical	Equals(1)
EnableConvertWarnToBlock	Control Name: Convert warn verdict to block Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\NIS Registry Value: EnableConvertWarnToBlock Registry Value Type: REG_DWORD	Important	Equals(0)
EngineRing	Control Name: Select the channel for Microsoft Defender monthly engine updates Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: EngineRing Registry Value Type: REG_DWORD	Critical	OneOf(Equals(5),Equals(6))
HideExclusionsFromLocalAdmins	Control Name: Control whether or not exclusions are visible to Local Admins Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: HideExclusionsFromLocalAdmins Registry Value Type: REG_DWORD	Important	Equals(1)
HideExclusionsFromLocalUsers	Control Name: Control whether exclusions are visible to local users Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: HideExclusionsFromLocalUsers Registry Value Type: REG_DWORD	Critical	Equals(1)
LocalSettingOverrideSpynetReporting	Control Name: Configure local setting override for reporting to Microsoft MAPS Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet Registry Value: LocalSettingOverrideSpynetReporting Registry Value Type: REG_DWORD	Important	Equals(0)
MpCloudBlockLevel	Control Name: Select cloud protection level Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine Registry Value: MpCloudBlockLevel Registry Value Type: REG_DWORD	Critical	OneOf(Equals(2),Equals(4),Equals(6))
OobeEnableRtpAndSigUpdate	Control Name: Configure real-time protection and Security Intelligence Updates during OOBE Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry Value: OobeEnableRtpAndSigUpdate Registry Value Type: REG_DWORD	Critical	Equals(1)
PlatformRing	Control Name: Select the channel for Microsoft Defender monthly platform updates Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: PlatformRing Registry Value Type: REG_DWORD	Critical	OneOf(Equals(5),Equals(6))
PUAProtection	Control Name: Configure detection for potentially unwanted applications Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: PUAProtection Registry Value Type: REG_DWORD	Critical	Equals(2)
QuickScanIncludeExclusions	Control Name: Scan excluded files and directories during quick scans Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan Registry Value: QuickScanIncludeExclusions Registry Value Type: REG_DWORD	Important	Equals(1)
SchedulerRandomizationTime	Control Name: Configure scheduled task times randomization window Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: SchedulerRandomizationTime Registry Value Type: REG_DWORD	Important	Range(1, 4)
SignaturesRing	Control Name: Select the channel for Microsoft Defender daily security intelligence updates Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Registry Value: SignaturesRing Registry Value Type: REG_DWORD	Critical	Equals(5)
SpynetReporting	Control Name: Join Microsoft MAPS Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet Registry Value: SpynetReporting Registry Value Type: REG_DWORD	Critical	Equals(2)
SubmitSamplesConsent	Control Name: Send file samples when further analysis is required Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet Registry Value: SubmitSamplesConsent Registry Value Type: REG_DWORD	Critical	OneOf(Equals(1),Equals(3))
ConfigureSystemGuardLaunch (AZ-WIN-202247)	Control Name: Secured-Core SystemGuard (DRTM) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Registry Value: ConfigureSystemGuardLaunch CSP Name: ./Vendor/MSFT/Policy CSP Path(s): Config/DeviceGuard/ConfigureSystemGuardLaunch Data Type: Number	Critical	1
EnableVirtualizationBasedSecurity (AZ-WIN-202245)	Control Name: Secured-Core Virtualization Based Security (VBS) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Registry Value: EnableVirtualizationBasedSecurity CSP Name: ./Vendor/MSFT/Policy CSP Path(s): Config/DeviceGuard/EnableVirtualizationBasedSecurity Data Type: Number	Critical	1
HypervisorEnforcedCodeIntegrity (AZ-WIN-202246)	Control Name: Secured-Core Hypervisor-protected Code Integrity (HVCI) Registry Key: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Registry Value: HypervisorEnforcedCodeIntegrity CSP Name: ./Vendor/MSFT/Policy CSP Path(s): Config/VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity Data Type: Number	Critical	2

Note

Availability of specific Azure Policy Machine Configuration settings may vary in Azure Government and other national clouds.

If you'd like to download this list of rules check out this link Security Basline Ruleset

Next steps

Additional articles about Azure Policy and Machine Configuration:

Azure Policy guest configuration.
Regulatory Compliance overview.
Review the the baseline content for past Windows Server Editions WS Baseline Content.
Review Understanding policy effects.
Learn how to remediate non-compliant resources.

Feedback

Was this page helpful?

Last updated on 2025-11-07

Share via

Windows security baseline for Windows Server 2025

General security controls

Next steps

Feedback

Additional resources