Download
| Alert*
|
CCE-11356-3
The "6to4 State" machine setting should be configured correctly. CCE-12047-7 The "Directory pruning interval" machine setting should be configured correctly. CCE-10906-6 The "Enable user control over installs" machine setting should be configured correctly. CCE-11005-6 The "Positive Periodic DC Cache Refresh for Non-Background Callers" machine setting should be configured correctly. CCE-11770-5 The "Teredo Server Name" machine setting should be configured correctly. CCE-11717-6 The "Maximum Log Size (KB)" machine setting should be configured correctly for the setup log. CCE-12822-3 The "Configure Files preference logging and tracing" machine setting should be configured correctly. CCE-10665-8 The "Prevent backing up to local disks" machine setting should be configured correctly. CCE-11574-1 The "Turn off Windows presentation settings" machine setting should be configured correctly. CCE-10981-9 The "Turn off heap termination on corruption" machine setting should be configured correctly. CCE-10798-7 The 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly. CCE-11201-1 The "Allow local activation security check exemptions" machine setting should be configured correctly. CCE-10469-5 The "Removable Disks: Deny write access" machine setting should be configured correctly. CCE-10928-0 The "Timeout for fast user switching events" machine setting should be configured correctly. CCE-10883-7 The 'Devices: Allow undock without having to log on' setting should be configured correctly. CCE-11935-4 The "Configure Folders preference logging and tracing" machine setting should be configured correctly. CCE-10994-2 The "Configure the refresh interval for Server Manager" machine setting should be configured correctly. CCE-11125-2 The "Display a custom message title when device installation is prevented by a policy setting" machine setting should be configured correctly. CCE-10532-0 The "Allow Enhanced Storage certificate provisioning" machine setting should be configured correctly. CCE-11378-7 The "Prevent plaintext PINs from being returned by Credential Manager" machine setting should be configured correctly. CCE-11080-9 The "Prevent Input Panel tab from appearing" machine setting should be configured correctly. CCE-10229-3 The 'Network Security: Restrict NTLM: NTLM authentication in this domain' setting should be configured correctly. CCE-11587-3 The "Turn off the "Publish to Web" task for files and folders" machine setting should be configured correctly. CCE-10896-9 This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this Group Policy setting to grant access to all the computers to particular ... CCE-11900-8 The "List of applications to be excluded" machine setting should be configured correctly. CCE-12376-0 The "Disable text prediction" machine setting should be configured correctly. CCE-10861-3 The "Do not allow window animations" machine setting should be configured correctly. CCE-11223-5 The "Allow Delegating Fresh Credentials" machine setting should be configured correctly. CCE-11881-0 The "Configure Power Options preference logging and tracing" machine setting should be configured correctly. CCE-11321-7 The "Configure Data Sources preference logging and tracing" machine setting should be configured correctly. CCE-11410-8 The "Display information about previous logons during user logon" machine setting should be configured correctly. CCE-11663-2 The "Best effort service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that do not conform to the flow specification. CCE-10870-4 The "Configure the list of blocked TPM commands" machine setting should be configured correctly. CCE-11922-2 The "Disk Diagnostic: Configure execution level" machine setting should be configured correctly. CCE-10817-5 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Countermeasure: Configure Network security: Allo ... CCE-10109-7 The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-11445-4 The "Limit the size of the entire roaming user profile cache" machine setting should be configured correctly. CCE-11249-0 The "Allow only Vista or later connections" machine setting should be configured correctly. CCE-11708-5 The "Disable Windows Error Reporting" machine setting should be configured correctly. CCE-11530-3 The "Turn off shell protocol protected mode" machine setting should be configured correctly. CCE-10421-6 The "Log File Path" machine setting should be configured correctly for the security log. CCE-11641-8 The "RPC Troubleshooting State Information" machine setting should be configured correctly. CCE-11432-2 The "Restrict system locales" machine setting should be configured correctly. CCE-11543-6 The "Global Configuration Settings" machine setting should be configured correctly. CCE-10478-6 The "Prevent installation of devices using drivers that match these device setup classes" machine setting should be configured correctly. CCE-11944-6 The "Select the Lid Switch Action (On Battery)" machine setting should be configured correctly. CCE-10772-2 The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly. CCE-11698-8 The "Qualitative service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification. CCE-11138-5 The "Backup log automatically when full" machine setting should be configured correctly for the setup log. CCE-13753-9 The "Configure Scheduled Tasks preference logging and tracing" machine setting should be configured correctly. CCE-11369-6 The "Enable Transparent Caching" machine setting should be configured correctly. CCE-11467-8 The "Turn off Windows HotStart" machine setting should be configured correctly. CCE-12056-8 The "Do not allow client printer redirection" machine setting should be configured correctly. CCE-12287-9 The "ActiveX installation policy for sites in Trusted zones" machine setting should be configured correctly. CCE-10719-3 The "Run startup scripts visible" machine setting should be configured correctly. CCE-11450-4 The "Enumerate administrator accounts on elevation" machine setting should be configured correctly. CCE-10669-0 The "Do not use temporary folders per session" machine setting should be configured correctly. CCE-12043-6 The "Limit outstanding packets" machine setting should be configured correctly. CCE-11352-2 The "Do not allow desktop composition" machine setting should be configured correctly. CCE-11156-7 The "Turn off Touch Panning" machine setting should be configured correctly. CCE-11387-8 The "Do not allow Sound Recorder to run" machine setting should be configured correctly. CCE-12078-2 The "Turn off access to the solutions to performance problems section" machine setting should be configured correctly. CCE-11992-5 The "Do not process the run once list" machine setting should be configured correctly. CCE-11058-5 The "EFS recovery policy processing" machine setting should be configured correctly. CCE-11517-0 The "Do not allow smart card device redirection" machine setting should be configured correctly. CCE-11748-1 The "Turn off Real-Time Monitoring" machine setting should be configured correctly. CCE-11570-9 The "Limit the maximum number of BITS jobs for each user" machine setting should be configured correctly. CCE-9992-9 The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. CCE-10998-3 The "Turn on certificate propagation from smart card" machine setting should be configured correctly. CCE-12274-7 The "Do not send a Windows error report when a generic driver is installed on a device" machine setting should be configured correctly. CCE-12065-9 The "Turn off PNRP cloud creation" machine setting should be configured correctly for IPv6 Site Local. CCE-11472-8 The "Turn off Multicast Name Resolution" machine setting should be configured correctly. CCE-10789-6 The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly. CCE-11681-4 The "Disallow run-once backups" machine setting should be configured correctly. CCE-11824-0 The "Disable delete notifications on all volumes" machine setting should be configured correctly. CCE-10127-9 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile. CCE-10963-7 The "Run logon scripts synchronously" machine setting should be configured correctly. CCE-10358-0 The "Time (in seconds) to force reboot when required for policy changes to take effect" machine setting should be configured correctly. CCE-10732-6 The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-10865-4 The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly. CCE-11726-7 The "Limit the age of files in the BITS Peercache" machine setting should be configured correctly. CCE-11178-1 The "Do not use Remote Desktop Session Host server IP address when virtual IP address is not available" machine setting should be configured correctly. CCE-12150-9 The "Prune printers that are not automatically republished" machine setting should be configured correctly. CCE-10972-8 The "Disable Windows Installer" machine setting should be configured correctly. CCE-10301-0 The "Run Windows PowerShell scripts first at user logon, logoff" machine setting should be configured correctly. CCE-11210-2 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Boot Performance Diagnostics. CCE-10558-5 The "Controlled load service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification. CCE-11049-4 The 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly. CCE-10621-1 The "Turn On Compatibility HTTP Listener" machine setting should be configured correctly. CCE-11561-8 The "Weight Set in the DC Locator DNS SRV Records" machine setting should be configured correctly. CCE-11441-3 The "Log File Path" machine setting should be configured correctly for the system log. CCE-11245-8 The "Do not process the legacy run list" machine setting should be configured correctly. CCE-11704-4 The "Allow pruning of published printers" machine setting should be configured correctly. CCE-11343-1 The "TTL Set in the A and PTR records" machine setting should be configured correctly. CCE-11112-0 The "Turn off Registration if URL connection is referring to Microsoft.com" machine setting should be configured correctly. CCE-11837-2 The "Allow Standby States (S1-S3) When Sleeping (On Battery)" machine setting should be configured correctly. CCE-12328-1 The "Verify old and new Folder Redirection targets point to the same share before redirecting" machine setting should be configured correctly. CCE-11739-0 The "Turn off downloading of game information" machine setting should be configured correctly. CCE-11890-1 The "Backup log automatically when full" machine setting should be configured correctly for the application log. CCE-10643-5 The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-11330-8 The "Allow logon scripts when NetBIOS or WINS is disabled" machine setting should be configured correctly. CCE-11365-4 The "Override the More Gadgets link" machine setting should be configured correctly. CCE-10776-3 The "Prevent Back-ESC mapping" machine setting should be configured correctly. CCE-11036-1 The 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. CCE-11463-7 The "Set PNRP cloud to resolve only" machine setting should be configured correctly for IPv6 Site Local. CCE-10171-7 Windows Firewall should allow or block inbound connections by default as appropriate for the Public Profile. CCE-11913-1 The "Don't set the always do this checkbox" machine setting should be configured correctly. CCE-11596-4 The "Do Not Show First Use Dialog Boxes" machine setting should be configured correctly. CCE-11623-6 The "Do not allow LPT port redirection" machine setting should be configured correctly. CCE-10702-9 The "Limit the maximum number of ranges that can be added to the file in a BITS job" machine setting should be configured correctly. CCE-11778-8 The "Hide previous versions list for local files" machine setting should be configured correctly. CCE-10857-1 Windows Firewall should allow or block inbound connections by default as appropriate for the Private Profile. CCE-11405-8 The "Validate smart card certificate usage rule compliance" machine setting should be configured correctly. CCE-12204-4 The "Backup log automatically when full" machine setting should be configured correctly for the system log. CCE-11262-3 The "Only allow local user profiles" machine setting should be configured correctly. CCE-10920-7 The "Sites Covered by the Application Directory Partition Locator DNS SRV Records" machine setting should be configured correctly. CCE-12074-1 Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... CCE-11307-6 The "Restrict potentially unsafe HTML Help functions to specified folders" machine setting should be configured correctly. CCE-11360-5 The "Turn off printing over HTTP" machine setting should be configured correctly. CCE-10639-3 The "Log File Debug Output Level" machine setting should be configured correctly. CCE-10724-3 The "CD and DVD: Deny write access" machine setting should be configured correctly. CCE-10158-4 The 'Interactive logon: Display user information when the session is locked.' setting should be configured correctly. CCE-11601-2 The "Default quota limit and warning level" machine setting should be configured correctly. CCE-10626-0 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Shutdown Performance Diagnostics. CCE-11186-4 The "Turn off Multicast Bootstrap" machine setting should be configured correctly for IPv6 Site Local. CCE-11908-1 The "Disallow network as backup target" machine setting should be configured correctly. CCE-11756-4 The "Disallow Negotiate authentication" machine setting should be configured correctly for the WinRM client. CCE-10123-8 Windows Firewall should allow or block outbound connections by default as appropriate for the Private Profile. CCE-11053-6 The "Refresh Interval of the DC Locator DNS Records" machine setting should be configured correctly. CCE-11427-2 The "Allow time zone redirection" machine setting should be configured correctly. CCE-11658-2 The "Specify the Unattended Sleep Timeout (On Battery)" machine setting should be configured correctly. CCE-11889-3 The "Enable/Disable PerfTrack" machine setting should be configured correctly. CCE-11284-7 The "Do not allow encryption on all NTFS volumes" machine setting should be configured correctly. CCE-10483-6 The "Configure Corporate Windows Error Reporting" machine setting should be configured correctly. CCE-11832-3 The "Select the Sleep Button Action (On Battery)" machine setting should be configured correctly. CCE-11418-1 The "Configure list of Enhanced Storage devices usable on your computer" machine setting should be configured correctly. CCE-11275-5 The "Configure BranchCache for network files" machine setting should be configured correctly. CCE-11983-4 The "Prevent press and hold" machine setting should be configured correctly. CCE-12083-2 The "Reduce Display Brightness (On Battery)" machine setting should be configured correctly. CCE-11120-3 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the public profile. CCE-10648-4 The "Allow Delegating Default Credentials with NTLM-only Server Authentication" machine setting should be configured correctly. CCE-11591-5 The "Prevent installation of devices not described by other policy settings" machine setting should be configured correctly. CCE-12248-1 The "Network control service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that do not conform to the flow specification. CCE-10964-5 The "Specify maximum number of remote shells per user" machine setting should be configured correctly. CCE-11867-9 The "Allow users to connect remotely using Remote Desktop Services" machine setting should be configured correctly. CCE-10866-2 The "Enable user to browse for source while elevated" machine setting should be configured correctly. CCE-11769-7 The "Limit maximum display resolution" machine setting should be configured correctly. CCE-11177-3 The "Computer location" machine setting should be configured correctly. CCE-10768-0 The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configured correctly. CCE-10977-7 The "Redirect only the default client printer" machine setting should be configured correctly. CCE-11297-9 The "Force the reading of all certificates from the smart card" machine setting should be configured correctly. CCE-11712-7 The "Log Access" machine setting should be configured correctlyfor the system log. CCE-11614-5 The "Specify maximum number of processes per Shell" machine setting should be configured correctly. CCE-12226-7 The "Configure Start Menu preference logging and tracing" machine setting should be configured correctly. CCE-11199-7 The "Reduce Display Brightness (Plugged In)" machine setting should be configured correctly. CCE-10613-8 The "Delete data from devices running Microsoft firmware when a user logs off from the computer." machine setting should be configured correctly. CCE-10942-1 The "Tape Drives: Deny read access" machine setting should be configured correctly. CCE-11917-2 The "Enable client-side targeting" machine setting should be configured correctly. CCE-11872-9 The "Do not display Manage Your Server page at logon" machine setting should be configured correctly. CCE-10804-3 The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-11458-7 The "Turn off legacy remote shutdown interface" machine setting should be configured correctly. CCE-11009-8 The "MaxConcurrentUsers" machine setting should be configured correctly. CCE-10794-6 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-10563-5 The "Configure RD Connection Broker farm name" machine setting should be configured correctly. CCE-11401-7 The "Hide notifications about RD Licensing problems that affect the RD Session Host server" machine setting should be configured correctly. CCE-11205-2 The "Turn on Remote Desktop IP Virtualization" machine setting should be configured correctly. CCE-12070-9 The "Require trusted path for credential entry." machine setting should be configured correctly. CCE-10372-1 The 'Minimum password length' setting should be configured correctly. CCE-11303-5 The "Do not allow clipboard redirection" machine setting should be configured correctly. CCE-12200-2 The "Remove 'Make Available Offline'" machine setting should be configured correctly. CCE-11578-2 The "Turn on the Ability for Applications to Prevent Sleep Transitions (Plugged In)" machine setting should be configured correctly. CCE-11129-4 The "Directory pruning priority" machine setting should be configured correctly. CCE-11689-7 The "Set roaming profile path for all users logging onto this computer" machine setting should be configured correctly. CCE-10683-1 The "Domain Controller: Allow server operators to schedule tasks" setting should be configured correctly. CCE-12004-8 The "Allow non-administrators to install drivers for these device setup classes" machine setting should be configured correctly. CCE-12115-2 The "Folder Redirection policy processing" machine setting should be configured correctly. CCE-11752-3 The "Limit the maximum network bandwidth used for Peercaching" machine setting should be configured correctly. CCE-10781-3 The 'MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)' setting should be configured correctly. CCE-11182-3 The "Remove Program Compatibility Property Page" machine setting should be configured correctly. CCE-10839-9 The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly. CCE-11885-1 The "Detect applications unable to launch installers under UAC" machine setting should be configured correctly. CCE-11423-1 'Choose default folder for recovery password (DefaultRecoveryFolderPath)' This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This pol ... CCE-10585-8 The "Set the Seed Server" machine setting should be configured correctly for IPv6 Link Local. CCE-11787-9 The "Specify search order for device driver source locations" machine setting should be configured correctly. CCE-11930-5 The "Low Battery Notification Level" machine setting should be configured correctly. CCE-11556-8 The "Set maximum wait time for the network if a user has a roaming user profile or remote home directory" machine setting should be configured correctly. CCE-11325-8 The "Add Printer wizard - Network scan page (Unmanaged network)" machine setting should be configured correctly. CCE-12092-3 The "CD and DVD: Deny execute access" machine setting should be configured correctly. CCE-10487-7 The 'Audit: Audit the access of global system objects' setting should be configured correctly. CCE-11271-4 The "Specify the Display Dim Brightness (Plugged In)" machine setting should be configured correctly. CCE-11316-7 The "Do not allow non-Enhanced Storage removable devices" machine setting should be configured correctly. CCE-10911-6 The 'Create symbolic links' user right should be assigned to the appropriate accounts. CCE-10813-4 The "Turn off restore functionality" machine setting should be configured correctly. CCE-11987-5 The "Turn off Windows Installer RDS Compatibility" machine setting should be configured correctly. CCE-10968-6 The "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" machine setting should be configured correctly. CCE-11863-8 The "Package Point and print - Approved servers" machine setting should be configured correctly. CCE-11075-9 The "Filter duplicate logon certificates" machine setting should be configured correctly. CCE-11765-5 The "Prevent Video Smoothing" machine setting should be configured correctly. CCE-10617-9 The 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly. CCE-12159-0 The "Do not allow local administrators to customize permissions" machine setting should be configured correctly. CCE-11436-3 The "Set BranchCache Hosted Cache mode" machine setting should be configured correctly. CCE-11293-8 The "Turn on economical application of administratively assigned Offline Files" machine setting should be configured correctly. CCE-11898-4 The "Do not detect slow network connections" machine setting should be configured correctly. CCE-11040-3 The "Turn off location scripting" machine setting should be configured correctly. CCE-11547-7 The "Disable password strength validation for Peer Grouping" machine setting should be configured correctly. CCE-10474-5 The "Negative DC Discovery Cache Setting" machine setting should be configured correctly. CCE-11338-1 The "Propagation of extended error information" machine setting should be configured correctly. CCE-10715-1 The "RPC Endpoint Mapper Client Authentication" machine setting should be configured correctly. CCE-11610-3 The "Require domain users to elevate when setting a network's location" machine setting should be configured correctly. CCE-11974-3 The "WPD Devices: Deny read access" machine setting should be configured correctly. CCE-10670-8 The "Prohibit rollback" machine setting should be configured correctly. CCE-10946-2 The "Allow only system backup" machine setting should be configured correctly. CCE-10579-1 The "Register DNS records with connection-specific DNS suffix" machine setting should be configured correctly. CCE-11431-4 The "Default behavior for AutoRun" machine setting should be configured correctly. CCE-11488-4 The "Prevent Flicks Learning Mode" machine setting should be configured correctly. CCE-10895-1 The "Turn off creation of System Restore Checkpoints" machine setting should be configured correctly. CCE-11092-4 The "Cache transforms in secure location on workstation" machine setting should be configured correctly. CCE-10775-5 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-11947-9 The "Network control service type" link layer (Layer-2) priority value should be configured correctly. CCE-11137-7 The "Exclude files from being cached" machine setting should be configured correctly. CCE-13295-1 The "User Group Policy loopback processing mode" machine setting should be configured correctly. CCE-11039-5 The "Automatic reconnection" machine setting should be configured correctly. CCE-11912-3 The "Allow Print Spooler to accept client connections" machine setting should be configured correctly. CCE-10446-3 The "Allow administrators to override Device Installation Restriction policies" machine setting should be configured correctly. CCE-11190-6 The "Specify Windows installation file location" machine setting should be configured correctly. CCE-11707-7 The "Limit the maximum number of files allowed in a BITS job" machine setting should be configured correctly. CCE-11609-5 The "Turn off Active Help" machine setting should be configured correctly. CCE-11662-4 The "Prevent installation of removable devices" machine setting should be configured correctly. CCE-10918-1 The "Retain old events" machine setting should be configured correctly for the application log. CCE-10873-8 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile. CCE-11564-2 The "Provide information about previous logons to client computers" machine setting should be configured correctly. CCE-12168-1 The "Disallow Interactive Users from generating Resultant Set of Policy data" machine setting should be configured correctly. CCE-12399-2 The "Deny Delegating Default Credentials" machine setting should be configured correctly. CCE-10797-9 The "Configure list of IEEE 1667 silos usable on your computer" machine setting should be configured correctly. CCE-11200-3 The "Turn On Desktop Background Slideshow (On Battery)" machine setting should be configured correctly. CCE-10468-7 The "Timeout for hung logon sessions during shutdown" machine setting should be configured correctly. CCE-12266-3 The "Disallow Digest authentication" machine setting should be configured correctly. CCE-10784-7 The "Detect application install failures" machine setting should be configured correctly. CCE-11479-3 The "Qualitative service type" link layer (Layer-2) priority value should be configured correctly. CCE-11128-6 The "Do not allow supported Plug and Play device redirection" machine setting should be configured correctly. CCE-11083-3 The "DC Locator DNS records not registered by the DCs" machine setting should be configured correctly. CCE-11795-2 The "Turn off access to the performance center core section" machine setting should be configured correctly. CCE-11542-8 The "Try Next Closest Site" machine setting should be configured correctly. CCE-11181-5 The "Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers" machine setting should be configured correctly. CCE-12142-6 The "Floppy Drives: Deny write access" machine setting should be configured correctly. CCE-12057-6 The "Configure device installation time-out" machine setting should be configured correctly. CCE-10370-5 The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-11599-8 The "Prohibit Flyweight Patching" machine setting should be configured correctly. CCE-11324-1 The "Specify a default color" machine setting should be configured correctly. CCE-12044-4 The "Specify the Display Dim Brightness (On Battery)" machine setting should be configured correctly. CCE-11921-4 The "Turn Off the Hard Disk (Plugged In)" machine setting should be configured correctly. CCE-11213-6 The "Allow time invalid certificates" machine setting should be configured correctly. CCE-11520-4 The "Group Policy refresh interval for domain controllers" machine setting should be configured correctly. CCE-10455-4 The "Allow users to log on using biometrics" machine setting should be configured correctly. CCE-11773-9 The "Removable Disks: Deny execute access" machine setting should be configured correctly. CCE-11115-3 The "Maximum Log File Size" machine setting should be configured correctly. CCE-11070-0 The "WPD Devices: Deny write access" machine setting should be configured correctly. CCE-11444-7 The "Display Shutdown Event Tracker" machine setting should be configured correctly. CCE-12120-2 The "Ignore custom consent settings" machine setting should be configured correctly. CCE-11248-2 The "Allow remote access to the Plug and Play interface" machine setting should be configured correctly. CCE-11017-1 The "Disable remote Desktop Sharing" machine setting should be configured correctly. CCE-11168-2 The "Turn off Configuration" machine setting should be configured correctly. CCE-11627-7 The "Set the Seed Server" machine setting should be configured correctly for IPv6 Global. CCE-12066-7 The "Allow remote start of unlisted programs" machine setting should be configured correctly. CCE-10997-5 Windows Firewall should allow or block inbound connections by default as appropriate for the Domain Profile. CCE-11484-3 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Memory Leak Diagnosis. CCE-11231-8 The "Deny Delegating Saved Credentials" machine setting should be configured correctly. CCE-10899-3 The "Disallow changing of geographic location" machine setting should be configured correctly. CCE-11529-5 The "Select an Active Power Plan" machine setting should be configured correctly. CCE-11133-6 The "Assign a default domain for logon" machine setting should be configured correctly. CCE-11823-2 The "Turn Off Non Volatile Cache Feature" machine setting should be configured correctly. CCE-11409-0 The "Turn off sensors" machine setting should be configured correctly. CCE-12974-2 The "Configure Folder Options preference logging and tracing" machine setting should be configured correctly. CCE-10357-2 The "Turn off Windows Update device driver searching" machine setting should be configured correctly. CCE-10962-9 The "Turn off Multicast Bootstrap" machine setting should be configured correctly for IPv6 Link Local. CCE-11266-4 The "Limit disk space used by offline files" machine setting should be configured correctly. CCE-11035-3 The 'System cryptography: Force strong key protection for user keys stored on the computer' setting should be configured correctly. CCE-11725-9 The "Turn off System Restore" machine setting should be configured correctly. CCE-10864-7 The "Execute print drivers in isolated processes" machine setting should be configured correctly. CCE-11605-3 The "Specify the System Sleep Timeout (On Battery)" machine setting should be configured correctly. CCE-10766-4 The "Set a support web page link" machine setting should be configured correctly. CCE-10975-1 The "Best effort service type" link layer (Layer-2) priority value should be configured correctly. CCE-11560-0 The "Set the Seed Server" machine setting should be configured correctly for IPv6 Site Local. CCE-10139-4 Rights to access DCOM applications should be assigned as appropriate. CCE-11253-2 The "Troubleshooting: Allow users to access and run Troubleshooting Wizards" machine setting should be configured correctly. CCE-11000-7 The "Network Projector Port Setting" machine setting should be configured correctly. CCE-12088-1 The "Require a Password When a Computer Wakes (On Battery)" machine setting should be configured correctly. CCE-12164-0 The "Always wait for the network at computer startup and logon" machine setting should be configured correctly. CCE-11155-9 The "Prohibit Access of the Windows Connect Now wizards" machine setting should be configured correctly. CCE-10335-8 The "Turn on Smart Card Plug and Play service" machine setting should be configured correctly. CCE-11057-7 The "Enable Windows NTP Client" machine setting should be configured correctly. CCE-10842-3 The "Domain Location Determination URL" machine setting should be configured correctly. CCE-11991-7 The "Do not allow the BITS client to use Windows Branch Cache" machine setting should be configured correctly. CCE-10940-5 The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-11703-6 The "Customize consent settings" machine setting should be configured correctly. CCE-11938-8 The "Turn Off Solid State Mode" machine setting should be configured correctly. CCE-11475-1 The "Primary DNS Suffix" machine setting should be configured correctly. CCE-11026-2 The "Prevent restoring local previous versions" machine setting should be configured correctly. CCE-11279-7 The "Critical Battery Notification Action" machine setting should be configured correctly. CCE-11497-5 The "Disallow locally attached storage as backup target" machine setting should be configured correctly. CCE-11222-7 The "Turn on BranchCache" machine setting should be configured correctly. CCE-11399-3 The "Corporate DNS Probe Host Address" machine setting should be configured correctly. CCE-12040-2 The "Do not allow password authentication of Enhanced Storage devices" machine setting should be configured correctly. CCE-11716-8 The "Set the number of synchronization retries for servers running Password Synchronization" machine setting should be configured correctly. CCE-11925-5 The "Point and Print Restrictions" machine setting should be configured correctly. CCE-11573-3 The "Network control service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification. CCE-10984-3 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-11849-7 The "Domain Controller Address Type Returned" machine setting should be configured correctly. CCE-11013-0 The "Trusted Hosts" machine setting should be configured correctly. CCE-11244-1 The "Update Top Level Domain Zones" machine setting should be configured correctly. CCE-11440-5 The "Hash Publication for BranchCache" machine setting should be configured correctly. CCE-11342-3 The "Do not allow Windows Journal to be run" machine setting should be configured correctly. CCE-11439-7 The "Restrict Internet communication" machine setting should be configured correctly. CCE-11141-9 The "ISATAP State" machine setting should be configured correctly. CCE-12009-7 The "6to4 Relay Name Resolution Interval" machine setting should be configured correctly. CCE-11600-4 The "Corporate Site Prefix List" machine setting should be configured correctly. CCE-11296-1 The "Set path for Remote Desktop Services Roaming User Profile" machine setting should be configured correctly. CCE-11043-7 The "Turn off Program Inventory" machine setting should be configured correctly. CCE-11394-4 The "Log event when quota warning level exceeded" machine setting should be configured correctly. CCE-11198-9 The "Enable disk quotas" machine setting should be configured correctly. CCE-10353-1 The "Do not allow Flip3D invocation" machine setting should be configured correctly. CCE-10518-9 The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly. CCE-10616-1 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Resource Exhaustion Detection and Resolution. CCE-10910-8 The "Only use Package Point and print" machine setting should be configured correctly. CCE-12806-6 The "Configure Printers preference logging and tracing" machine setting should be configured correctly. CCE-11163-3 The "Administratively assigned offline files" machine setting should be configured correctly. CCE-10812-6 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-11404-1 The "Turn off Windows SideShow" machine setting should be configured correctly. CCE-10691-4 The "Prevent the computer from joining a homegroup" machine setting should be configured correctly. CCE-10505-6 The "Specify a Custom Active Power Plan" machine setting should be configured correctly. CCE-11030-4 The "Turn off handwriting recognition error reporting" machine setting should be configured correctly. CCE-11261-5 The "Enable Persistent Time Stamp" machine setting should be configured correctly. CCE-11306-8 The "Allow CredSSP authentication" machine setting should be configured correctly for the WinRM service. CCE-11768-9 The "Windows Scaling Heuristics State" machine setting should be configured correctly. CCE-11208-6 The "Sites Covered by the GC Locator DNS SRV Records" machine setting should be configured correctly. CCE-11995-8 The "Group Policy refresh interval for computers" machine setting should be configured correctly. CCE-12885-0 The "Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services" machine setting should be configured correctly. CCE-10113-9 Windows Firewall should allow or block outbound connections by default as appropriate for the Domain Profile. CCE-10366-3 The "Turn off the communities features" machine setting should be configured correctly. CCE-12116-0 The "Configure Services preference logging and tracing" machine setting should be configured correctly. CCE-11907-3 The "Turn on root certificate propagation from smart card" machine setting should be configured correctly. CCE-11711-9 The "Prompt for credentials on the client computer" machine setting should be configured correctly. CCE-11350-6 The "Allow .rdp files from valid publishers and user's default .rdp settings" machine setting should be configured correctly. CCE-10878-7 The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-11844-8 The "Enable user to use media source while elevated" machine setting should be configured correctly. CCE-11287-0 The "Configure Applications preference logging and tracing" machine setting should be configured correctly. CCE-11746-5 The "Events.asp program" machine setting should be configured correctly. CCE-10843-1 The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly. CCE-10941-3 The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-11385-2 The "Verbose vs normal status messages" machine setting should be configured correctly. CCE-18944-9 The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-11581-6 The "Log event when quota limit exceeded" machine setting should be configured correctly. CCE-11417-3 The "Set percentage of disk space used for client computer cache" machine setting should be configured correctly. CCE-10745-8 The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly. CCE-11274-8 The "Prevent access to 16-bit applications" machine setting should be configured correctly. CCE-11470-2 The "Specify SHA1 thumbprints of certificates representing trusted .rdp publishers" machine setting should be configured correctly. CCE-11372-0 The "Turn off Connect to a Network Projector" machine setting should be configured correctly. CCE-10647-6 The "Turn Off the Display (On Battery)" machine setting should be configured correctly. CCE-12018-8 The "Logging" machine setting should be configured correctly. CCE-11822-4 The "Allow installation of devices using drivers that match these device setup classes" machine setting should be configured correctly. CCE-11176-5 The "Turn on Accounting for WSRM" machine setting should be configured correctly. CCE-11724-2 The "Set the Email IDs to which notifications are to be sent" machine setting should be configured correctly. CCE-11292-0 The "Turn off Federation Service" machine setting should be configured correctly. CCE-11688-9 The "Detect application failures caused by deprecated Windows DLLs" machine setting should be configured correctly. CCE-12005-5 The "Corporate Website Probe URL" machine setting should be configured correctly. CCE-10891-0 The "Corporate DNS Probe Host Name" machine setting should be configured correctly. CCE-10477-8 The "Directory pruning retry" machine setting should be configured correctly. CCE-11390-2 The "Do not allow Snipping Tool to run" machine setting should be configured correctly. CCE-11337-3 The "Turn off Application Compatibility Engine" machine setting should be configured correctly. CCE-10771-4 The "Check for New Signatures Before Scheduled Scans" machine setting should be configured correctly. CCE-10718-5 The "Custom Classes: Deny write access" machine setting should be configured correctly. CCE-10901-7 The 'Password must meet complexity requirements' policy should be set correctly. CCE-10442-2 The "Turn on extensive logging for Password Synchronization" machine setting should be configured correctly. CCE-11194-8 The "Configure keep-alive connection interval" machine setting should be configured correctly. CCE-11977-6 The "Set BranchCache Distributed Cache mode" machine setting should be configured correctly. CCE-11106-2 The "Configure Security Policy for Scripted Diagnostics" machine setting should be configured correctly. CCE-11359-7 The "Allow audio and video playback redirection" machine setting should be configured correctly. CCE-10705-2 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-10384-6 The "Prevent Roaming Profile changes from propagating to the server" machine setting should be configured correctly. CCE-10188-1 The 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. CCE-10131-1 The 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. CCE-10660-9 The "Ignore Delegation Failure" machine setting should be configured correctly. CCE-14026-9 The "Configure Devices preference logging and tracing" machine setting should be configured correctly. CCE-10914-0 The "Sysvol share compatibility" machine setting should be configured correctly. CCE-11942-0 The "Slow network connection timeout for user profiles" machine setting should be configured correctly. CCE-11008-0 The "Include rarely used Chinese, Kanji, or Hanja characters" machine setting should be configured correctly. CCE-11400-9 The "Backup log automatically when full" machine setting should be configured correctly for the security log. CCE-10562-7 The 'Maximum password age' setting should be configured correctly. CCE-13691-1 The "Configure Registry preference logging and tracing" machine setting should be configured correctly. CCE-12103-8 The "Turn off the ability to create a system image" machine setting should be configured correctly. CCE-11764-8 The "Prevent installation of devices that match any of these device IDs" machine setting should be configured correctly. CCE-11204-5 The "Turn Off Hybrid Sleep (On Battery)" machine setting should be configured correctly. CCE-10309-3 The "Retain old events" machine setting should be configured correctly for the setup log. CCE-10780-5 The 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly. CCE-10682-3 The "Selectively allow the evaluation of a symbolic link" machine setting should be configured correctly. CCE-12049-3 The "Turn off Windows Network Connectivity Status Indicator active tests" machine setting should be configured correctly. CCE-11964-4 The "Events.asp URL" machine setting should be configured correctly. CCE-11185-6 The "Check published state" machine setting should be configured correctly. CCE-11799-4 The "Positive Periodic DC Cache Refresh for Background Callers" machine setting should be configured correctly. CCE-11840-6 The "Maximum wait time for Group Policy scripts" machine setting should be configured correctly. CCE-10397-8 The "Allow Delegating Default Credentials" machine setting should be configured correctly. CCE-10945-4 The "Permitted Managers" machine setting should be configured correctly. CCE-11052-8 The "Prevent Windows Media DRM Internet Access" machine setting should be configured correctly. CCE-10584-1 The "Allow Automatic Sleep with Open Network Files (On Battery)" machine setting should be configured correctly. CCE-11511-3 The "Automated Site Coverage by the DC Locator DNS SRV Records" machine setting should be configured correctly. CCE-11381-1 The "Allow automatic configuration of listeners" machine setting should be configured correctly. CCE-11328-2 The "Contact PDC on logon failure" machine setting should be configured correctly. CCE-13580-6 The "Software Installation policy processing" machine setting should be configured correctly. CCE-10299-6 The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" machine setting should be configured correctly. CCE-11742-4 The "Set PNRP cloud to resolve only" machine setting should be configured correctly for IPv6 Global. CCE-13723-2 The "Allow Cross-Forest User Policy and Roaming User Profiles" machine setting should be configured correctly. CCE-12948-6 The "Configure Ini Files preference logging and tracing" machine setting should be configured correctly. CCE-11875-2 The "Specify channel binding token hardening level" machine setting should be configured correctly. CCE-10958-7 The "Turn on logging" machine setting should be configured correctly. CCE-11413-2 The "Netlogon share compatibility" machine setting should be configured correctly. CCE-11270-6 The "Turn off Multicast Bootstrap" machine setting should be configured correctly for IPv6 Global. CCE-11524-6 The "Set PNRP cloud to resolve only" machine setting should be configured correctly for IPv6 Link Local. CCE-11217-7 The "Download missing COM components" machine setting should be configured correctly. CCE-11448-8 The "Do not allow color changes" machine setting should be configured correctly. CCE-12147-5 The "Configure Regional Options preference logging and tracing" machine setting should be configured correctly. CCE-11172-4 The "Do not check for user ownership of Roaming Profile Folders" machine setting should be configured correctly. CCE-10825-8 The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. CCE-10872-0 The "Do not allow Windows Messenger to be run" machine setting should be configured correctly. CCE-12001-4 The "Reverse the subject name stored in a certificate when displaying" machine setting should be configured correctly. CCE-11563-4 The "Turn off downloading of print drivers over HTTP" machine setting should be configured correctly. CCE-10819-1 The "Do not display Initial Configuration Tasks window automatically at logon" machine setting should be configured correctly. CCE-11345-6 The "Baseline file cache maximum size" machine setting should be configured correctly. CCE-11114-6 The "Run these programs at user logon" machine setting should be configured correctly. CCE-14699-3 The "Configure Shortcuts preference logging and tracing" machine setting should be configured correctly. CCE-12121-0 The "Group Policy slow link detection" machine setting should be configured correctly. CCE-11804-2 The "Use mandatory profiles on the RD Session Host server" machine setting should be configured correctly. CCE-12036-0 The "Best effort service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification. CCE-11608-7 The "Specify the System Sleep Timeout (Plugged In)" machine setting should be configured correctly. CCE-10423-2 The "Domain Controller: LDAP server signing requirements" setting should be configured correctly. CCE-12232-5 The "Select the Lid Switch Action (Plugged In)" machine setting should be configured correctly. CCE-11234-2 The "Detect application failures caused by deprecated COM objects" machine setting should be configured correctly. CCE-11794-5 The "Do not automatically encrypt files moved to encrypted folders" machine setting should be configured correctly. CCE-11598-0 The "Prevent Desktop Shortcut Creation" machine setting should be configured correctly. CCE-12058-4 The "Enforce Removal of Remote Desktop Wallpaper" machine setting should be configured correctly. CCE-11136-9 The "Turn off Internet download for Web publishing and online ordering wizards" machine setting should be configured correctly. CCE-11911-5 The "Remove browse dialog box for new source" machine setting should be configured correctly. CCE-11269-8 The "Guaranteed service type" link layer (Layer-2) priority value should be configured correctly. CCE-11367-0 The "Turn off location" machine setting should be configured correctly. CCE-10053-7 The 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' setting should be configured correctly. CCE-11105-4 The "Maximum DC Discovery Retry Interval Setting for Background Callers" machine setting should be configured correctly. CCE-11358-9 The "Turn off Windows Mobility Center" machine setting should be configured correctly. CCE-11456-1 The "Add the Administrators security group to roaming user profiles" machine setting should be configured correctly. CCE-10663-3 The "Retain old events" machine setting should be configured correctly for the security log. CCE-12045-1 The "Do not allow manual configuration of target portals" machine setting should be configured correctly. CCE-11870-3 The "Do not allow the computer to act as a BITS Peercaching server" machine setting should be configured correctly. CCE-10565-0 The "Turn off "Found New Hardware" balloons during device installation" machine setting should be configured correctly. CCE-11674-9 The "Allow Applications to Prevent Automatic Sleep (On Battery)" machine setting should be configured correctly. CCE-10881-1 The "Restrictions for Unauthenticated RPC clients" machine setting should be configured correctly. CCE-10926-4 The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. CCE-11301-9 The "Run shutdown scripts visible" machine setting should be configured correctly. CCE-11203-7 The "Turn off Fair Share CPU Scheduling" machine setting should be configured correctly. CCE-10698-9 The "Turn on Script Execution" machine setting should be configured correctly. CCE-14437-8 The "Turn off background refresh of Group Policy" machine setting should be configured correctly. CCE-10992-6 The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. CCE-11478-5 The "Always render print jobs on the server" machine setting should be configured correctly. CCE-11127-8 The "Do not allow changes to initiator CHAP secret" machine setting should be configured correctly. CCE-12067-5 The "Hide previous versions of files on backup location" machine setting should be configured correctly. CCE-11082-5 The "Turn off Windows Startup Sound" machine setting should be configured correctly. CCE-10894-4 The "Encrypt the Offline Files cache" machine setting should be configured correctly. CCE-11589-9 The "Prevent device metadata retrieval from the Internet" machine setting should be configured correctly. CCE-11750-7 The "Turn off Windows Error Reporting" machine setting should be configured correctly. CCE-11180-7 The "Force selected system UI language to overwrite the user UI language" machine setting should be configured correctly. CCE-11883-6 The "Log File Path" machine setting should be configured correctly for the application log. CCE-11421-5 The "Remove Windows Security item from Start menu" machine setting should be configured correctly. CCE-11955-2 The "Delete cached copies of roaming profiles" machine setting should be configured correctly. CCE-12010-5 The "Floppy Drives: Deny execute access" machine setting should be configured correctly. CCE-11785-3 The "Do not allow adding new targets via manual configuration" machine setting should be configured correctly. CCE-10806-8 The "Do not turn off system power after a Windows system shutdown has occurred." machine setting should be configured correctly. CCE-11323-3 The "Prevent restoring previous versions from backups" machine setting should be configured correctly. CCE-11554-3 The "Customize Warning Messages" machine setting should be configured correctly. CCE-11398-5 The "Allow signature keys valid for Logon" machine setting should be configured correctly. CCE-11857-0 The "Non-conforming packets" machine setting should be configured correctly. CCE-11604-6 The "Turn off Microsoft Peer-to-Peer Networking Services" machine setting should be configured correctly. CCE-11047-8 The "Limit number of connections" machine setting should be configured correctly. CCE-11759-8 The "Teredo Refresh Rate" machine setting should be configured correctly. CCE-10876-1 The "Set the Time interval in minutes for logging accounting data" machine setting should be configured correctly. CCE-11145-0 The "Turn Off Adaptive Display Timeout (Plugged In)" machine setting should be configured correctly. CCE-11800-0 The "Minimum Idle Connection Timeout for RPC/HTTP connections" machine setting should be configured correctly. CCE-12032-9 The "Allow CredSSP authentication" machine setting should be configured correctly for the WinRM client. CCE-11012-2 The "Set timer resolution" machine setting should be configured correctly. CCE-11243-3 The "Turn off the "Order Prints" picture task" machine setting should be configured correctly. CCE-11110-4 The "IP Security policy processing" machine setting should be configured correctly. CCE-11167-4 The "Microsoft Support Diagnostic Tool: Restrict tool download" machine setting should be configured correctly. CCE-11230-0 The "Use Remote Desktop Easy Print printer driver first" machine setting should be configured correctly. CCE-11835-6 The "Allow Applications to Prevent Automatic Sleep (Plugged In)" machine setting should be configured correctly. CCE-11737-4 The "Teredo Default Qualified" machine setting should be configured correctly. CCE-10854-8 The "Allow the Network Access Protection client to support the 802.1x Enforcement Client component" machine setting should be configured correctly. CCE-10018-0 The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly. CCE-11639-2 The "Turn off access to the OEM and Microsoft branding section" machine setting should be configured correctly. CCE-11132-8 The "Configure RD Connection Broker server name" machine setting should be configured correctly. CCE-11408-2 The "Notify user of successful smart card driver installation" machine setting should be configured correctly. CCE-11594-9 The "Apply the default user logon picture to all users" machine setting should be configured correctly. CCE-11354-8 The "Turn off Windows Customer Experience Improvement Program" machine setting should be configured correctly. CCE-11256-5 The "Always use classic logon" machine setting should be configured correctly. CCE-11848-9 The "Hide entry points for Fast User Switching" machine setting should be configured correctly. CCE-11389-4 The "Scavenge Interval" machine setting should be configured correctly. CCE-12161-6 The "Turn off Data Execution Prevention for Explorer" machine setting should be configured correctly. CCE-11158-3 The "Turn Off Low Battery User Notification" machine setting should be configured correctly. CCE-14285-1 The "Turn off Resultant Set of Policy logging" machine setting should be configured correctly. CCE-10569-2 The "Detect application installers that need to be run as administrator" machine setting should be configured correctly. CCE-10885-2 The "Turn On Desktop Background Slideshow (Plugged In)" machine setting should be configured correctly. CCE-10610-4 The "Restrict unpacking and installation of gadgets that are not digitally signed." machine setting should be configured correctly. CCE-11990-9 The "Turn Off Cache Power Mode" machine setting should be configured correctly. CCE-12108-7 The "Prevent Quick Launch Toolbar Shortcut Creation" machine setting should be configured correctly. CCE-11123-7 The "Turn off Windows Mail application" machine setting should be configured correctly. CCE-10534-6 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-11487-6 The "Pre-populate printer search location text" machine setting should be configured correctly. CCE-11585-7 The "All Removable Storage: Allow direct access in remote sessions" machine setting should be configured correctly. CCE-10908-2 The "Prevent restoring remote previous versions" machine setting should be configured correctly. CCE-10863-9 The "Guaranteed service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification. CCE-11416-5 The "Turn Off Boot and Resume Optimizations" machine setting should be configured correctly. CCE-11669-9 The "Tag Windows Customer Experience Improvement data with Study Identifier" machine setting should be configured correctly. CCE-11732-5 The "Time (in seconds) to force reboot" machine setting should be configured correctly. CCE-12085-7 The "Internet Explorer Maintenance policy processing" machine setting should be configured correctly. CCE-11318-3 The "Dynamic Registration of the DC Locator DNS Records" machine setting should be configured correctly. CCE-11371-2 The "Site Name" machine setting should be configured correctly. CCE-11985-9 The "Reserve Battery Notification Level" machine setting should be configured correctly. CCE-11865-3 The "Teredo State" machine setting should be configured correctly. CCE-11175-7 The "Turn off Problem Steps Recorder" machine setting should be configured correctly. CCE-11634-3 The "Guaranteed service type" Layer-3 Differentiated Services Code Point should be configured correctly for packets that do not conform to the flow specification. CCE-11491-8 The "Ignore the local list of blocked TPM commands" machine setting should be configured correctly. CCE-11077-5 The "Prohibit Use of Restart Manager" machine setting should be configured correctly. CCE-11950-3 The "Turn off PNRP cloud creation" machine setting should be configured correctly for IPv6 Global. CCE-11438-9 The "Critical Battery Notification Level" machine setting should be configured correctly. CCE-10517-1 The "Turn off Windows Defender" machine setting should be configured correctly. CCE-10419-0 The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-10570-0 The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly. CCE-11710-1 The "Limit the BITS Peercache size" machine setting should be configured correctly. CCE-11393-6 The "Controlled load service type" Layer-3 Differentiated Services Code Point (DSCP) should be configured correctly for packets that do not conform to the flow specification. CCE-11612-9 The "Run Windows PowerShell scripts first at computer startup, shutdown" machine setting should be configured correctly. CCE-10713-6 The "Allow user name hint" machine setting should be configured correctly. CCE-11514-7 The "Allow Automatic Sleep with Open Network Files (Plugged In)" machine setting should be configured correctly. CCE-11972-7 The "Allow cryptography algorithms compatible with Windows NT 4.0" machine setting should be configured correctly. CCE-10846-4 The "Hide previous versions list for remote files" machine setting should be configured correctly. CCE-11099-9 The "Use IP Address Redirection" machine setting should be configured correctly. CCE-11166-6 The "Apply policy to removable media" machine setting should be configured correctly. CCE-10343-2 The "Disable IE security prompt for Windows Installer scripts" machine setting should be configured correctly. CCE-11625-1 The "Offer Remote Assistance" machine setting should be configured correctly. CCE-12192-1 The "Do not allow Windows Media Center to run" machine setting should be configured correctly. CCE-11527-9 The "Configure Drive Maps preference logging and tracing" machine setting should be configured correctly. CCE-12139-2 The "Turn Off the Hard Disk (On Battery)" machine setting should be configured correctly. CCE-10855-5 The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" machine setting should be configured correctly. CCE-11407-4 The "Limit the maximum number of BITS jobs for this computer" machine setting should be configured correctly. CCE-11821-6 The "Force Rediscovery Interval" machine setting should be configured correctly. CCE-11723-4 The "Solicited Remote Assistance" machine setting should be configured correctly. CCE-12104-6 The "Limit the maximum BITS job download time" machine setting should be configured correctly. CCE-11460-3 The "Exclude credential providers" machine setting should be configured correctly. CCE-11264-9 The "Turn off Automatic Root Certificates Update" machine setting should be configured correctly. CCE-11033-8 The "Maximum Log Size (KB)" machine setting should be configured correctly for the secirity log. CCE-11131-0 The "Allow Basic authentication" machine setting should be configured correctly for the WinRM service. CCE-11362-1 The "Display string when smart card is blocked" machine setting should be configured correctly. CCE-12170-7 The "Do not allow manual configuration of discovered targets" machine setting should be configured correctly. CCE-11603-8 The "Do not forcefully unload the users registry at user logoff" machine setting should be configured correctly. CCE-12215-0 The "Join RD Connection Broker" machine setting should be configured correctly. CCE-10722-7 The "Use forest search order" machine setting should be configured correctly for Key Distribution Center (KDC) searches. CCE-11251-6 The "Select the Power Button Action (On Battery)" machine setting should be configured correctly. CCE-10931-4 The "Primary DNS Suffix Devolution" machine setting should be configured correctly. CCE-11188-0 The "Allow domain users to log on using biometrics" machine setting should be configured correctly. CCE-11906-5 The "Allow certificates with no extended key usage certificate attribute" machine setting should be configured correctly. CCE-11758-0 The "Override print driver execution compatibility setting reported by print driver" machine setting should be configured correctly. CCE-10624-5 The "Expected dial-up delay on logon" machine setting should be configured correctly. CCE-10481-0 Windows Firewall should allow or block outbound connections by default as appropriate for the Public Profile. CCE-11055-1 The "Retain old events" machine setting should be configured correctly for the system log. CCE-10757-3 The "Specify the Unattended Sleep Timeout (Plugged In)" machine setting should be configured correctly. CCE-11286-2 The "Prevent launch an application" machine setting should be configured correctly. CCE-12094-9 The "Allow Delegating Saved Credentials with NTLM-only Server Authentication" machine setting should be configured correctly. CCE-11384-5 The "Set the interval between synchronization retries for Password Synchronization" machine setting should be configured correctly. CCE-9999-4 The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly. CCE-11412-4 The "Prevent backing up to optical media (CD/DVD)" machine setting should be configured correctly. CCE-11665-7 The "Prevent flicks" machine setting should be configured correctly. CCE-10383-8 The "Allow non-administrators to receive update notifications" machine setting should be configured correctly. CCE-11567-5 The "Turn on TPM backup to Active Directory Domain Services" machine setting should be configured correctly. CCE-11216-9 The "Allow BITS Peercaching" machine setting should be configured correctly. CCE-11314-2 The "Lock Enhanced Storage when the computer is locked" machine setting should be configured correctly. CCE-10454-7 The "Allow Basic authentication" machine setting should be configured correctly for the WinRM client. CCE-10815-9 The "Set compression algorithm for RDP data" machine setting should be configured correctly. CCE-12246-5 The "Log directory pruning retry events" machine setting should be configured correctly. CCE-11763-0 The "Turn off tracking of last play time of games in the Games folder" machine setting should be configured correctly. CCE-11861-2 The "Configure Report Queue" machine setting should be configured correctly. CCE-11349-8 The "Delete user profiles older than a specified number of days on system restart" machine setting should be configured correctly. CCE-11954-5 The "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM client. CCE-11434-8 The "Enforce upgrade component rules" machine setting should be configured correctly. CCE-11643-4 The "For tablet pen input, don���������t show the Input Panel icon" machine setting should be configured correctly. CCE-10717-7 The "Tape Drives: Deny write access" machine setting should be configured correctly. CCE-11336-5 The "Prevent Windows from sending an error report when a device driver requests additional software during installation" machine setting should be configured correctly. CCE-11798-6 The "Specify the System Hibernate Timeout (On Battery)" machine setting should be configured correctly. CCE-10010-7 The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly. CCE-11545-1 The "Allow the use of biometrics" machine setting should be configured correctly. CCE-11469-4 The "Low Battery Notification Action" machine setting should be configured correctly. CCE-10619-5 The 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly. CCE-10802-7 The "Domain Controller: Refuse machine account password changes" setting should be configured correctly. CCE-11621-0 The "Disable Logging" machine setting should be configured correctly. CCE-10596-5 The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-11941-2 The "Prevent display of the user interface for critical errors" machine setting should be configured correctly. CCE-10859-7 The 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' setting should be configured correctly. CCE-10045-3 The 'Network Security: Restrict NTLM: Add server exceptions in this domain' setting should be configured correctly. CCE-11403-3 The "Use the specified Remote Desktop license servers" machine setting should be configured correctly. CCE-10508-0 The "Prevent backing up to network location" machine setting should be configured correctly. CCE-11260-7 The "Set the SMTP Server used to send notifications" machine setting should be configured correctly. CCE-10374-7 The "Specify maximum amount of memory in MB per Shell" machine setting should be configured correctly. CCE-11998-2 The "Ignore the default list of blocked TPM commands" machine setting should be configured correctly. CCE-10922-3 The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-11305-0 The "Configure MSI Corrupted File Recovery Behavior" machine setting should be configured correctly. CCE-11852-1 The "Do not allow manual configuration of iSNS servers" machine setting should be configured correctly. CCE-11086-6 The "Registration Refresh Interval" machine setting should be configured correctly. CCE-10726-8 The 'Manage auditing and security log' user right should be assigned to the appropriate accounts. CCE-12002-2 The "Configure slow-link mode" machine setting should be configured correctly. CCE-10837-3 The "Do not log users on with temporary profiles" machine setting should be configured correctly. CCE-11656-6 The "License server security group" machine setting should be configured correctly. CCE-11425-6 The "Do not allow compression on all NTFS volumes" machine setting should be configured correctly. CCE-10485-1 The "Configure Corrupted File Recovery Behavior" machine setting should be configured correctly. CCE-11282-1 The "Do not display Server Manager automatically at logon" machine setting should be configured correctly. CCE-10900-9 This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With soft ... CCE-12090-7 The "Restrict these programs from being launched from Help" machine setting should be configured correctly. CCE-13394-2 The "Wired policy processing" machine setting should be configured correctly. CCE-10583-3 The "Communities" machine setting should be configured correctly. CCE-11380-3 The "Restrict user locales" machine setting should be configured correctly. CCE-11327-4 The "Disallow selection of Custom Locales" machine setting should be configured correctly. CCE-11558-4 The "Use RD Connection Broker load balancing" machine setting should be configured correctly. CCE-11540-2 The "Restricts the UI language Windows uses for all logged users" machine setting should be configured correctly. CCE-11379-5 The "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries" machine setting should be configured correctly. CCE-10929-8 The "Turn off Tablet PC touch input" machine setting should be configured correctly. CCE-11081-7 The "Allow only USB root hub connected Enhanced Storage devices" machine setting should be configured correctly. CCE-11028-8 The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-11420-7 The "Disallow user override of locale settings" machine setting should be configured correctly. CCE-10315-0 The "Controlled load service type" link layer (Layer-2) priority value should be configured correctly. CCE-11499-1 The "Always use custom logon background" machine setting should be configured correctly. CCE-10631-0 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the private profile. CCE-11958-6 The "Turn off the Windows Messenger Customer Experience Improvement Program" machine setting should be configured correctly. CCE-11322-5 The "For touch input, don���������t show the Input Panel icon" machine setting should be configured correctly. CCE-12255-6 The "Turn off pen feedback" machine setting should be configured correctly. CCE-10555-1 The "Select the Sleep Button Action (Plugged In)" machine setting should be configured correctly. CCE-11211-0 The "Turn on Security Center (Domain PCs only)" machine setting should be configured correctly. CCE-10907-4 The "Sets how often a DFS Client discovers DC's" machine setting should be configured correctly. CCE-12046-9 The "Do not delete temp folder upon exit" machine setting should be configured correctly. CCE-12157-4 The "Turn On Compatibility HTTPS Listener" machine setting should be configured correctly. CCE-11718-4 The "Define Activation Security Check exemptions" machine setting should be configured correctly. CCE-10751-6 The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly. CCE-11344-9 The "Leave Windows Installer and Group Policy Software Installation Data" machine setting should be configured correctly. CCE-10982-7 The "Allow .rdp files from unknown publishers" machine setting should be configured correctly. CCE-11015-5 The "Always show desktop on connection" machine setting should be configured correctly. CCE-10653-4 The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly. CCE-11673-1 The "Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager" machine setting should be configured correctly. CCE-11575-8 The "Configure Default consent" machine setting should be configured correctly. CCE-10422-4 The "Configure use of passwords for removable data drives" machine setting should be configured correctly. CCE-10991-8 The "Turn on Software Notifications" machine setting should be configured correctly. CCE-10640-1 The 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' setting should be configured correctly. CCE-11290-4 The "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM service. CCE-11433-0 The "Approved Installation Sites for ActiveX Controls" machine setting should be configured correctly. CCE-11829-9 The "Choose drive encryption method and cipher strength" machine setting should be configured correctly. CCE-10893-6 The "Set the Remote Desktop licensing mode" machine setting should be configured correctly. CCE-10381-2 The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly. CCE-11237-5 The "Background upload of a roaming user profile's registry file while user is logged on" machine setting should be configured correctly. CCE-11945-3 The "Specify idle Timeout" machine setting should be configured correctly. CCE-11588-1 The "Turn off numerical sorting in Windows Explorer" machine setting should be configured correctly. CCE-10087-5 The 'Network Security: Restrict NTLM: Incoming NTLM traffic' setting should be configured correctly. CCE-11094-0 The "Disable logging via package settings" machine setting should be configured correctly. CCE-11651-7 The "Require a Password When a Computer Wakes (Plugged In)" machine setting should be configured correctly. CCE-11192-2 The "Qualitative service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that do not conform to the flow specification. CCE-10675-7 The "Allow installation of devices that match any of these device IDs" machine setting should be configured correctly. CCE-12011-3 The "Prohibit installing or uninstalling color profiles" machine setting should be configured correctly. CCE-10773-0 The "Do not automatically start Windows Messenger initially" machine setting should be configured correctly. CCE-11784-6 The "Allow restore of system to default state" machine setting should be configured correctly. CCE-10760-7 The 'Minimum password age' setting should be configured correctly. CCE-11104-7 The "Allow printers to be published" machine setting should be configured correctly. CCE-11455-3 The "Allow ECC certificates to be used for logon and authentication" machine setting should be configured correctly. CCE-10662-5 The "Select the Power Button Action (Plugged In)" machine setting should be configured correctly. CCE-12910-6 The "Configure Environment preference logging and tracing" machine setting should be configured correctly. CCE-11300-1 The "Route all traffic through the internal network" machine setting should be configured correctly. CCE-11531-1 The "Do not allow printing to Journal Note Writer" machine setting should be configured correctly. CCE-11860-4 The "Allow Remote Shell Access" machine setting should be configured correctly. CCE-11807-5 The "Turn off game updates" machine setting should be configured correctly. CCE-11932-1 The "Specify the System Hibernate Timeout (Plugged In)" machine setting should be configured correctly. CCE-10697-1 The "Turn off Internet File Association service" machine setting should be configured correctly. CCE-11709-3 The "Do not allow drive redirection" machine setting should be configured correctly. CCE-12166-5 The "Disk Diagnostic: Configure custom alert text" machine setting should be configured correctly. CCE-11762-2 The "All Removable Storage classes: Deny all access" machine setting should be configured correctly. CCE-10951-2 The "Prioritize all digitally signed drivers equally during the driver ranking and selection process" machine setting should be configured correctly. CCE-11122-9 The "Prompt user when a slow network connection is detected" machine setting should be configured correctly. CCE-12273-9 The "Set the map update interval for NIS subordinate servers" machine setting should be configured correctly. CCE-11834-9 The "DNS Suffix Search List" machine setting should be configured correctly. CCE-11277-1 The "Do not allow connections without IPSec" machine setting should be configured correctly. CCE-11473-6 The "Limit audio playback quality" machine setting should be configured correctly. CCE-10600-5 The "Do not allow COM port redirection" machine setting should be configured correctly. CCE-12020-4 The "Display a custom message when installation is prevented by a policy setting" machine setting should be configured correctly. CCE-11375-3 The "Turn off Autoplay for non-volume devices" machine setting should be configured correctly. CCE-11905-7 The "Do not allow passwords to be saved" machine setting should be configured correctly. CCE-11638-4 The "Configure Microsoft SpyNet Reporting" machine setting should be configured correctly. CCE-10733-4 The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-11593-1 The "Enforce disk quota limit" machine setting should be configured correctly. CCE-11397-7 The "Turn Off Hybrid Sleep (Plugged In)" machine setting should be configured correctly. CCE-12754-8 The "Registry policy processing" machine setting should be configured correctly. CCE-11046-0 The 'Account lockout threshold' setting should be configured correctly. CCE-12042-8 The "Allow desktop composition for remote desktop sessions" machine setting should be configured correctly. CCE-11812-5 The "Turn off Help and Support Center "Did you know?" content" machine setting should be configured correctly. CCE-11299-5 The "Always prompt for password upon connection" machine setting should be configured correctly. CCE-10831-6 The "Traps for public community" machine setting should be configured correctly. CCE-12251-5 The "Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS" machine setting should be configured correctly. CCE-11144-3 The "Configure Network Options preference logging and tracing" machine setting should be configured correctly. CCE-11714-3 The "Allow Standby States (S1-S3) When Sleeping (Plugged In)" machine setting should be configured correctly. CCE-11847-1 The "CD and DVD: Deny read access" machine setting should be configured correctly. CCE-11011-4 The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly. CCE-11616-0 The "Turn off password security in Input Panel" machine setting should be configured correctly. CCE-11242-5 The "Configuration of wireless settings using Windows Connect Now" machine setting should be configured correctly. CCE-11518-8 The "Notify blocked drivers" machine setting should be configured correctly. CCE-10888-6 The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-11584-0 The "Do not send additional data" machine setting should be configured correctly. CCE-10742-5 The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-12064-2 The "Turn off hardware buttons" machine setting should be configured correctly. CCE-11486-8 The "Do not allow sessions without one way CHAP" machine setting should be configured correctly. CCE-11331-6 The "Use localized subfolder names when redirecting Start Menu and My Documents" machine setting should be configured correctly. CCE-11366-2 The "Set Remote Desktop Services User Home Directory" machine setting should be configured correctly. CCE-11090-8 The "Prevent Media Sharing" machine setting should be configured correctly. CCE-13026-0 The "Configure Network Shares preference logging and tracing" machine setting should be configured correctly. CCE-10546-0 The "Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point" machine setting should be configured correctly. CCE-11464-5 The "Limit maximum color depth" machine setting should be configured correctly. CCE-12099-8 The "Teredo Client Port" machine setting should be configured correctly. CCE-10679-9 The "Log Access" machine setting should be configured correctly for the setup log. CCE-11727-5 The "Turn Off user-installed desktop gadgets" machine setting should be configured correctly. CCE-11037-9 The "Update Security Level" machine setting should be configured correctly. CCE-12282-0 The "Turn Off the Display (Plugged In)" machine setting should be configured correctly. CCE-10809-2 The "Enforce password history" setting should be configured correctly. CCE-10511-4 The "Configure Background Sync" machine setting should be configured correctly. CCE-10973-6 The "Final DC Discovery Retry Setting for Background Callers" machine setting should be configured correctly. CCE-12086-5 The "Sites Covered by the DC Locator DNS SRV Records" machine setting should be configured correctly. CCE-11451-2 The "Turn Off Adaptive Display Timeout (On Battery)" machine setting should be configured correctly. CCE-11002-3 The "Turn off Application Telemetry" machine setting should be configured correctly. CCE-12295-2 The "Disallow Negotiate authentication" machine setting should be configured correctly for the WinRM service. CCE-10875-3 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-11255-7 The "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" machine setting should be configured correctly. CCE-11353-0 The "Do not allow the computer to act as a BITS Peercaching client" machine setting should be configured correctly. CCE-11157-5 The "Primary DNS Suffix Devolution Level" machine setting should be configured correctly. CCE-10292-1 The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly. CCE-10568-4 The "Enable NTFS pagefile encryption" machine setting should be configured correctly. CCE-14153-1 The "Security policy processing" machine setting should be configured correctly. CCE-12260-6 The "Report when logon server was not available during user logon" machine setting should be configured correctly. CCE-11705-1 The "Disable binding directly to IPropertySetStorage without intermediate layers." machine setting should be configured correctly. CCE-11646-7 The "Configure root certificate clean up" machine setting should be configured correctly. CCE-9972-1 The 'Access Credential Manager as a trusted caller' user right should be assigned to the appropriate accounts. CCE-11250-8 The "Allow Integrated Unblock screen to be displayed at the time of logon" machine setting should be configured correctly. CCE-10627-8 The "Turn off AutoComplete integration with Input Panel" machine setting should be configured correctly. CCE-11962-8 The "Configure Report Archive" machine setting should be configured correctly. CCE-11383-7 The "Printer browsing" machine setting should be configured correctly. CCE-11054-4 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Standby/Resume Performance Diagnostics. CCE-10529-6 The 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly. CCE-11611-1 The "Diagnostics: Configure scenario retention" machine setting should be configured correctly. CCE-11285-4 The "Do not allow changes to initiator iqn name" machine setting should be configured correctly. CCE-12051-9 The "Configure Local Users and Groups preference logging and tracing" machine setting should be configured correctly. CCE-11152-6 The "Events.asp program command line parameters" machine setting should be configured correctly. CCE-10484-4 The "Turn on Mapper I/O (LLTDIO) driver" machine setting should be configured correctly. CCE-11415-7 The "Specify Windows Service Pack installation file location" machine setting should be configured correctly. CCE-11317-5 The "Turn off Data Execution Prevention for HTML Help Executible" machine setting should be configured correctly. CCE-11219-3 The "Log Access" machine setting should be configured correctly for the application log. CCE-11370-4 The "Custom Classes: Deny read access" machine setting should be configured correctly. CCE-14616-7 The "Wireless policy processing" machine setting should be configured correctly. CCE-12073-3 The "Disk Quota policy processing" machine setting should be configured correctly. CCE-11076-7 The "SSL Cipher Suite Order" machine setting should be configured correctly. CCE-10921-5 The 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. CCE-10823-3 The "Turn off automatic termination of applications that block or cancel shutdown" machine setting should be configured correctly. CCE-11174-0 The "Maximum Log Size (KB)" machine setting should be configured correctly for the system log. CCE-11143-5 The "Maximum Log Size (KB)" machine setting should be configured correctly for the application log. CCE-12007-1 The "6to4 Relay Name" machine setting should be configured correctly. CCE-10832-4 The "IP-HTTPS State" machine setting should be configured correctly. CCE-10320-0 The "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" machine setting should be configured correctly. CCE-11757-2 The "Turn off Program Compatibility Assistant" machine setting should be configured correctly. CCE-12180-6 The "Log File Path" machine setting should be configured correctly for the setup log. CCE-10987-6 The "Select the network adapter to be used for Remote Desktop IP Virtualization" machine setting should be configured correctly. CCE-10712-8 The "ISATAP Router Name" machine setting should be configured correctly. CCE-10355-6 The "Do not show the "local access only" network icon" machine setting should be configured correctly. CCE-12127-7 The "Microsoft Support Diagnostic Tool: Configure execution level" machine setting should be configured correctly. CCE-11241-7 The "Diagnostics: Configure scenario execution level" machine setting should be configured correctly. CCE-11971-9 The "Configure Reliability WMI Providers" machine setting should be configured correctly. CCE-11010-6 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-10889-4 The "Turn off Search Companion content file updates" machine setting should be configured correctly. CCE-11419-9 The "Turn off automatic wake" machine setting should be configured correctly. CCE-11833-1 The "Server Authentication Certificate Template" machine setting should be configured correctly. CCE-12029-5 The "Removable Disks: Deny read access" machine setting should be configured correctly. CCE-12082-4 The "Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" machine setting should be configured correctly. CCE-10965-2 The "Enable user to patch elevated products" machine setting should be configured correctly. CCE-10333-3 The "Turn off PNRP cloud creation" machine setting should be configured correctly for IPv6 Link Local. CCE-11263-1 The "Turn on session logging" machine setting should be configured correctly. CCE-11494-2 The Remote Desktop Connection Client "Configure server authentication for client" machine setting should be configured correctly. CCE-11690-5 The "Log Access" machine setting should be configured correctly for the security log. CCE-11539-4 The "Allow Corporate redirection of Customer Experience Improvement uploads" machine setting should be configured correctly. CCE-11308-4 The "Re-prompt for restart with scheduled installations" machine setting should be configured correctly. CCE-12994-0 The "Startup policy processing wait time" machine setting should be configured correctly. CCE-12105-3 The "TTL Set in the DC Locator DNS Records" machine setting should be configured correctly. CCE-10684-9 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-11797-8 The "Disallow optical media as backup target" machine setting should be configured correctly. CCE-11544-4 The "Turn off Help and Support Center Microsoft Knowledge Base search" machine setting should be configured correctly. CCE-11966-9 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows System Responsiveness Diagnostics. CCE-11183-1 The "Turn on bandwidth optimization" machine setting should be configured correctly. CCE-12269-7 The "Switch to the Simplified Chinese (PRC) gestures" machine setting should be configured correctly. CCE-11424-9 The "Turn off SwitchBack Compatibility Engine" machine setting should be configured correctly. CCE-11281-3 The "Deny Delegating Fresh Credentials" machine setting should be configured correctly. CCE-11699-6 The "Add Printer wizard - Network scan page (Managed network)" machine setting should be configured correctly. CCE-12585-6 The "Remove users ability to invoke machine policy refresh" machine setting should be configured correctly. CCE-11228-4 The "Allow audio recording redirection" machine setting should be configured correctly. CCE-10947-0 The "Allow or Disallow use of the Offline Files feature" machine setting should be configured correctly. CCE-11873-7 The "Enable Windows NTP Server" machine setting should be configured correctly. CCE-11620-2 The "Make Parental Controls control panel visible on a Domain" machine setting should be configured correctly. CCE-11411-6 The "Floppy Drives: Deny read access" machine setting should be configured correctly. CCE-11988-3 The "Location of the DCs hosting a domain with single label DNS name" machine setting should be configured correctly. CCE-12345-5 The "Tape Drives: Deny execute access" machine setting should be configured correctly. CCE-11313-4 The "Optimize visual experience for Remote Desktop Services sessions" machine setting should be configured correctly. CCE-11522-0 The "Configure Internet Settings preference logging and tracing" machine setting should be configured correctly. CCE-11677-2 The "Set client connection encryption level" machine setting should be configured correctly. CCE-12016-2 The "Restrict Remote Desktop Services users to a single Remote Desktop Services session" machine setting should be configured correctly. CCE-11072-6 The "Priority Set in the DC Locator DNS SRV Records" machine setting should be configured correctly. CCE-13373-6 The "Turn off Local Group Policy objects processing" machine setting should be configured correctly. CCE-10827-4 The "Start a program on connection" machine setting should be configured correctly. CCE-11019-7 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the domain profile. CCE-10057-8 The 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' setting should be configured correctly. CCE-11437-1 The "Run startup scripts asynchronously" machine setting should be configured correctly. CCE-10573-4 The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. CCE-11041-1 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile. CCE-10934-8 The "Wait for remote user profile" machine setting should be configured correctly. CCE-11339-9 The "Specify Shell Timeout" machine setting should be configured correctly. CCE-12003-0 The "Set time limit for logoff of RemoteApp sessions" machine setting should be configured correctly. CCE-11500-6 The "Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers" machine setting should be configured correctly. CCE-11392-8 The "Prevent license upgrade" machine setting should be configured correctly. CCE-10836-5 The "Turn off Routinely Taking Action" machine setting should be configured correctly. CCE-11098-1 The "Do not allow Digital Locker to run" machine setting should be configured correctly. CCE-12038-6 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Fault Tolerant Heap . CCE-12123-6 The "Turn off automatic learning" machine setting should be configured correctly. CCE-12354-7 The "Turn off the ability to back up data files" machine setting should be configured correctly. CCE-10440-6 The "Allow Delegating Saved Credentials" machine setting should be configured correctly. CCE-9989-5 The 'Accounts: Guest account status' setting should be configured correctly. CCE-10801-9 The "Turn off desktop gadgets" machine setting should be configured correctly. CCE-11063-5 The "Register PTR Records" machine setting should be configured correctly. CCE-10703-7 The "Initial DC Discovery Retry Setting for Background Callers" machine setting should be configured correctly. CCE-11731-7 The "Turn on the Ability for Applications to Prevent Sleep Transitions (On Battery)" machine setting should be configured correctly. CCE-10912-4 The 'Devices: Restrict floppy access to locally logged-on user only' setting should be configured correctly. CCE-11161-7 The "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" machine setting should be configured correctly. CCE-12661-5 The "Scripts policy processing" machine setting should be configured correctly. CCE-11864-6 The "Limit reservable bandwidth" machine setting should be configured correctly. CCE-11402-5 The "ForwarderResourceUsage" machine setting should be configured correctly. CCE-10693-0 The "Turn off Event Viewer "Events.asp" links" machine setting should be configured correctly. CCE-12332-3 The "Disable or enable software Secure Attention Sequence" machine setting should be configured correctly. CCE-11997-4 The "Remove "Disconnect" option from Shut Down dialog" machine setting should be configured correctly. CCE-10791-2 The "Require a PIN to access data on devices running Microsoft firmware" machine setting should be configured correctly. CCE-11304-3 The "Turn on Responder (RSPNDR) driver" machine setting should be configured correctly. CCE-11258-1 The "Provide the unique identifiers for your organization" machine setting should be configured correctly. CCE-11761-4 The "Automatic Updates detection frequency" machine setting should be configured correctly. CCE-11191-4 The "Use forest search order" machine setting should be configured correctly for Kerberos client searches. CCE-10416-6 The "Specify intranet Microsoft update service location" machine setting should be configured correctly. CCE-11615-2 The "Deny write access to fixed drives not protected by BitLocker" machine setting should be configured correctly. CCE-10612-0 The "Allow enhanced PINs for startup" machine setting should be configured correctly. CCE-11147-6 The "Limit maximum number of monitors" machine setting should be configured correctly. CCE-11232-6 The "Do not allow sessions without mutual CHAP" machine setting should be configured correctly. CCE-11498-3 The "Prohibit removal of updates" machine setting should be configured correctly. CCE-11209-4 The "Dynamic Update" machine setting should be configured correctly. CCE-11088-2 The "Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates" machine setting should be configured correctly. CCE-11636-8 The "Allow access to BitLocker-protected removable data drives from earlier versions of Windows" machine setting should be configured correctly. CCE-11142-7 The "Deny write access to removable drives not protected by BitLocker" machine setting should be configured correctly. CCE-12137-6 The "Define host name-to-Kerberos realm mappings" machine setting should be configured correctly. CCE-11534-5 The "Delay Restart for scheduled installations" machine setting should be configured correctly. CCE-10572-6 The "Do not set default client printer to be default printer in a session" machine setting should be configured correctly. CCE-10544-5 The "Prevent Windows Anytime Upgrade from running." machine setting should be configured correctly. CCE-11880-2 The "Turn on definition updates through both WSUS and Windows Update" machine setting should be configured correctly. CCE-11159-1 The "Terminate session when time limits are reached" machine setting should be configured correctly. CCE-11697-0 The "Disallow Kerberos authentication" machine setting should be configured correctly for the WinRM client. CCE-11377-9 The "Control use of BitLocker on removable drives" machine setting should be configured correctly. CCE-10019-8 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. CCE-11693-9 The "Set rules for remote control of Remote Desktop Services user sessions" machine setting should be configured correctly. CCE-11973-5 The "Choose how BitLocker-protected removable drives can be recovered" machine setting should be configured correctly. CCE-11537-8 The "Allow Automatic Updates immediate installation" machine setting should be configured correctly. CCE-11648-3 The "Turn on recommended updates via Automatic Updates" machine setting should be configured correctly. CCE-12312-5 The "Short name creation options" machine setting should be configured correctly. CCE-11319-1 The "Turn off Windows Update device driver search prompt" machine setting should be configured correctly. CCE-11239-1 The "Configure use of smart cards on fixed data drives" machine setting should be configured correctly. CCE-11809-1 The "Configure TPM platform validation profile" machine setting should be configured correctly. CCE-10749-0 The "Configure Automatic Updates" machine setting should be configured correctly. CCE-11149-2 The "Disallow Kerberos authentication" machine setting should be configured correctly for the WinRM service. CCE-11310-0 The "Turn off access to all Windows Update features" machine setting should be configured correctly. CCE-11332-4 The "Configure minimum PIN length for startup" machine setting should be configured correctly. CCE-11465-2 The "Allow access to BitLocker-protected fixed data drives from earlier versions of Windows" machine setting should be configured correctly. CCE-11933-9 The "Require additional authentication at startup" machine setting should be configured correctly. CCE-10587-4 The "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" machine setting should be configured correctly. CCE-11506-3 The "Set time limit for active but idle Remote Desktop Services sessions" machine setting should be configured correctly. CCE-11341-5 The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" machine setting should be configured correctly. CCE-11928-9 The "Prevent memory overwrite on restart" machine setting should be configured correctly. CCE-10983-5 The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. CCE-10996-7 The "Do not allow additional session logins" machine setting should be configured correctly. CCE-11273-0 The "Choose how BitLocker-protected fixed drives can be recovered" machine setting should be configured correctly. CCE-10868-8 The "Define interoperable Kerberos V5 realm settings" machine setting should be configured correctly. CCE-12237-4 The "Configure use of passwords for fixed data drives" machine setting should be configured correctly. CCE-11919-8 The "Require strict KDC validation" machine setting should be configured correctly. CCE-11118-7 The "Prohibit patching" machine setting should be configured correctly. CCE-11976-8 The "Extend Point and Print connection to search Windows Update" machine setting should be configured correctly. CCE-11923-0 The "Reschedule Automatic Updates scheduled installations" machine setting should be configured correctly. CCE-10520-5 The "Allow admin to install from Remote Desktop Services session" machine setting should be configured correctly. CCE-12131-9 The "Require strict target SPN match on remote procedure calls" machine setting should be configured correctly. CCE-11468-6 The "Prohibit non-administrators from applying vendor signed updates" machine setting should be configured correctly. CCE-11664-0 The "Do not allow font smoothing" machine setting should be configured correctly. CCE-11428-0 The "Allow signed updates from an intranet Microsoft update service location" machine setting should be configured correctly. CCE-11298-7 The "Prevent Automatic Updates" machine setting should be configured correctly. CCE-12060-0 The "Choose how BitLocker-protected operating system drives can be recovered" machine setting should be configured correctly. CCE-12336-4 The "Configure use of smart cards on removable data drives" machine setting should be configured correctly. CCE-11326-6 The "Set time limit for active Remote Desktop Services sessions" machine setting should be configured correctly. CCE-11117-9 The "Set time limit for disconnected sessions" machine setting should be configured correctly. CCE-12401-6 The "Always install with elevated privileges" machine setting should be configured correctly. CCE-10637-7 The 'Devices: Allowed to format and eject removable media' setting should be configured correctly. CCE-10750-8 The 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-10830-8 The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly. CCE-11023-9 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-10807-6 The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. CCE-11103-9 The Windows Firewall should be enabled or disabled as appropriate for the Private Profile. CCE-11368-8 The "Require secure RPC communication" machine setting should be configured correctly. CCE-10557-7 The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly. CCE-10482-8 The Windows Firewall should be enabled or disabled as appropriate for the Domain Profile. CCE-10821-7 The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly. CCE-10673-2 The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly. CCE-10970-2 The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. CCE-10009-9 The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly. CCE-18808-6 The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-10974-4 The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly. CCE-11295-3 The "Require use of specific security layer for remote (RDP) connections" machine setting should be configured correctly. CCE-10944-7 The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly. CCE-10027-1 The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly. CCE-10871-2 The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. CCE-10986-8 The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. CCE-11059-3 The 'Reset account lockout counter after' setting should be configured correctly. CCE-10978-5 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-10399-4 The 'Account lockout duration' setting should be configured correctly. CCE-10810-0 The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-10297-0 The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-11050-2 The Windows Firewall should be enabled or disabled as appropriate for the Public Profile. CCE-10541-1 The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-11453-8 The "No auto-restart with logged on users for scheduled automatic updates installations" machine setting should be configured correctly. CCE-10788-8 The 'Interactive logon: Do not display last user name' setting should be configured correctly. CCE-10838-1 The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly. CCE-10362-2 The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly. CCE-10338-2 The "Require user authentication for remote connections by using Network Level Authentication" machine setting should be configured correctly. CCE-10112-1 The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configured correctly. CCE-10903-3 The 'Domain member: Maximum machine account password age' setting should be configured correctly. CCE-10930-6 The 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly. CCE-10614-6 The 'Network security: LDAP client signing requirements' setting should be configured correctly. |
