18.10.13.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'

Information

This policy setting controls whether or not a PIN is required for pairing to a wireless display device.

The recommended state for this setting is: Enabled: First Time OR Enabled: Always

If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always :

Computer Configuration\Policies\Administrative Templates\Windows Components\Connect\Require pin for pairing

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates.

Impact:

The pairing ceremony for connecting to new wireless display devices will always require a PIN.

See Also

https://workbench.cisecurity.org/benchmarks/17096

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5c.

Plugin: Windows

Control ID: 7749d89f933db01b78957583f96b846aead6c464481048d363493b22e597d510