Jun 17, 2024 Miscellaneous- Metadata updated.
- References updated.
|
Apr 12, 2023 Functional Update- 1.1.1.4 Set 'Minimum password length' to '14 or more character(s)'
- 1.1.1.5 Set 'Enforce password history' to '24 or more password(s)'
- 1.1.1.8 Set 'Minimum password age' to '1 or more day(s)'
- 1.1.1.9 Set 'Maximum password age' to '60 or fewer days'
Miscellaneous- Metadata updated.
- Platform check updated.
- Variables updated.
|
Mar 8, 2023 Functional Update- 1.1.3.1.6 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
- 1.1.5.1.6 Set 'Windows Firewall: Domain: Allow unicast response' to 'No'
- 1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'
- 1.2.4.2.1.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
- 1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'
- 1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'
- 1.2.4.2.3.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
|
Mar 7, 2023 Miscellaneous- Metadata updated.
- References updated.
|
Jan 4, 2023 |
Dec 7, 2022 |
Oct 6, 2022 Informational Update- 1.2.4.2.1.1 Set 'Configure use of hardware-based encryption for fixed data drives' to 'Enabled'
- 1.2.4.2.1.10 Set 'Choose how BitLocker-protected fixed drives can be recovered' to 'Enabled'
- 1.2.4.2.1.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' to 'False'
- 1.2.4.2.1.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'
- 1.2.4.2.1.13 Set 'Save BitLocker recovery information to AD DS for fixed data drives' to 'False'
- 1.2.4.2.1.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
- 1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'
- 1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'
- 1.2.4.2.1.17 Configure 'Deny write access to fixed drives not protected by BitLocker'
- 1.2.4.2.1.18 Set 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' to 'Disabled'
- 1.2.4.2.1.3 Set 'Configure use of passwords for fixed data drives' to 'Disabled'
- 1.2.4.2.1.4 Set 'Recovery Key' to 'Allow 256-bit recovery key'
- 1.2.4.2.1.5 Set 'Recovery Password' to 'Allow 48-digit recovery password'
- 1.2.4.2.1.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
- 1.2.4.2.1.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
- 1.2.4.2.1.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
- 1.2.4.2.1.9 Set 'Allow data recovery agent' to 'True'
- 1.2.4.2.2.1 Set 'Configure use of hardware-based encryption for operating system drives' to 'Enabled'
- 1.2.4.2.2.10 Set 'Choose how BitLocker-protected operating system drives can be recovered' to 'Enabled'
- 1.2.4.2.2.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' to 'True'
- 1.2.4.2.2.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Store recovery passwords and key packages'
- 1.2.4.2.2.13 Set 'Save BitLocker recovery information to AD DS for operating system drives' to 'True'
- 1.2.4.2.2.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
- 1.2.4.2.2.15 Set 'Require additional authentication at startup' to 'Enabled'
- 1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'
- 1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'
- 1.2.4.2.2.19 Set 'Configure TPM startup:' to 'Do not allow TPM'
- 1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'
- 1.2.4.2.2.21 Configure 'Use enhanced Boot Configuration Data validation profile'
- 1.2.4.2.2.22 Configure 'Enable use of BitLocker authentication requiring preboot keyboard input on slates'
- 1.2.4.2.2.23 Configure 'Configure TPM platform validation profile for BIOS-based firmware configurations'
- 1.2.4.2.2.24 Configure 'Configure TPM platform validation profile for native UEFI firmware configurations'
- 1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'
- 1.2.4.2.2.26 Configure 'Disallow standard users from changing the PIN or password'
- 1.2.4.2.2.27 Set 'Allow Secure Boot for integrity validation' to 'Enabled'
- 1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'
- 1.2.4.2.2.29 Configure 'Allow network unlock at startup'
- 1.2.4.2.2.3 Set 'Configure use of passwords for operating system drives' to 'Disabled'
- 1.2.4.2.2.30 Configure 'Reset platform validation data after BitLocker recovery'
- 1.2.4.2.2.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'
- 1.2.4.2.2.5 Set 'Recovery Password' to 'Require 48-digit recovery password'
- 1.2.4.2.2.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
- 1.2.4.2.2.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
- 1.2.4.2.2.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
- 1.2.4.2.2.9 Set 'Allow data recovery agent' to 'False'
- 1.2.4.2.3.1 Set 'Configure use of hardware-based encryption for removable data drives' to 'Enabled'
- 1.2.4.2.3.10 Set 'Choose how BitLocker-protected removable drives can be recovered' to 'Enabled'
- 1.2.4.2.3.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' to 'False'
- 1.2.4.2.3.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'
- 1.2.4.2.3.13 Set 'Save BitLocker recovery information to AD DS for removable data drives' to 'False'
- 1.2.4.2.3.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'
- 1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'
- 1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'
- 1.2.4.2.3.17 Set 'Deny write access to removable drives not protected by BitLocker' to 'Enabled'
- 1.2.4.2.3.18 Set 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' to 'Disabled'
- 1.2.4.2.3.19 Configure 'Control use of BitLocker on removable drives'
- 1.2.4.2.3.20 Set 'Do not allow write access to devices configured in another organization' to 'True'
- 1.2.4.2.3.3 Set 'Configure use of passwords for removable data drives' to 'Disabled'
- 1.2.4.2.3.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'
- 1.2.4.2.3.5 Set 'Recovery Password' to 'Do not allow 48-digit recovery password'
- 1.2.4.2.3.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'
- 1.2.4.2.3.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'
- 1.2.4.2.3.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'
- 1.2.4.2.3.9 Set 'Allow data recovery agent' to 'True'
- 1.2.4.2.5 Set 'Select the encryption method:' to 'Enabled:AES 256-bit'
- 1.2.4.2.6 Configure 'Prevent memory overwrite on restart'
Removed- 1.1.5.1.10 Set 'Inbound Connections' to 'Enabled:Block (default)'
- 1.2.4.2.2.17 Set 'Configure TPM startup key and PIN:' to 'Do not allow startup key and PIN with TPM'
- 1.2.4.2.3.2 Configure 'Enforce drive encryption type on removable data drives'
- 1.2.4.6.2 Set 'Allow Basic authentication' to 'Disabled'
- BitLocker is not enabled.
|
Apr 25, 2022 |
Mar 29, 2022 Miscellaneous- Metadata updated.
- References updated.
|
Jun 17, 2021 Miscellaneous- Metadata updated.
- References updated.
Added- 1.2.4.13 Configure 'Allow all trusted apps to install'
Removed- 1.2.4.13 Configure 'Allow all trusted apps to install'
|