Download
| Alert*
|
oval:org.secpod.oval:def:56034
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For ... oval:org.secpod.oval:def:56033 This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the Network Security: Restrict NTLM: Deny NTLM authentication in this domain is set. The naming format for servers on this exception list is t ... oval:org.secpod.oval:def:56036 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting does not affect foreground transfers.) You can specify a limit to use during a specific time interval and at all other times. For exampl ... oval:org.secpod.oval:def:56035 This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of in ... oval:org.secpod.oval:def:55327 The operating system installed on the system is Microsoft Windows Server 2019. oval:org.secpod.oval:def:56270 The registry value entry KeepAliveTime was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE. This ... oval:org.secpod.oval:def:56283 This policy setting specifies whether Remote Desktop IP Virtualization is turned on. By default, Remote Desktop IP Virtualization is turned off. If you enable this policy setting, Remote Desktop IP Virtualization is turned on. You can select the mode in which this setting is applied. If you are us ... oval:org.secpod.oval:def:56282 Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. If you enable this policy, a button assigned to Back will not map to ESC. If you disable this policy, Back->ESC mapping will occur. If you do not configure this p ... oval:org.secpod.oval:def:56286 This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states: Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be enabled. Windows will prompt the user with a dialog box when application reinstalla ... oval:org.secpod.oval:def:56284 This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that ... oval:org.secpod.oval:def:56289 This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user i ... oval:org.secpod.oval:def:56046 This policy prevents a shortcut for the Player from being added to the Quick Launch bar. When this policy is not configured or disabled, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Co ... oval:org.secpod.oval:def:56294 This policy setting allows you to turn off Found New Hardware balloons during device installation. If you enable this policy setting, Found New Hardware balloons do not appear while a device is being installed. If you disable or do not configure this policy setting, Found New Hardware balloons app ... oval:org.secpod.oval:def:56056 This policy setting defines threats which will be excluded from detection during network traffic inspection. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a Threat ID. As an example, a T ... oval:org.secpod.oval:def:56298 This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent readin ... oval:org.secpod.oval:def:56296 Turn off the Windows Startup sound and prevent its customization in the Sound item of Control Panel. The Microsoft Windows Startup sound is heard during system startup and cold startup and can be turned on or off in the Sound item of Control Panel. Enabling or disabling this setting will automatic ... oval:org.secpod.oval:def:56059 This policy setting defines processes from which outbound network traffic will not be inspected. Process names should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a process path and name. As an exampl ... oval:org.secpod.oval:def:56061 This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which th ... oval:org.secpod.oval:def:56067 Specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. If this setting is enabled, all of the the policy settings listed in the Internet Communication settings section will be set such that their respective features can not access the Internet. If th ... oval:org.secpod.oval:def:56240 This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers that support claims and compound authentication for Dynam ... oval:org.secpod.oval:def:56239 Prevent the desktop personalization group from syncing to and from this PC. This turns off and disables the desktop personalization group on the sync your settings page in PC settings. If you enable this policy setting, the desktop personalization group will not be synced. Use the option Allow use ... oval:org.secpod.oval:def:56238 Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options only when these i ... oval:org.secpod.oval:def:56249 This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the ... oval:org.secpod.oval:def:56261 This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additi ... oval:org.secpod.oval:def:56264 This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier ... oval:org.secpod.oval:def:56262 This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication ... oval:org.secpod.oval:def:56269 This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you will be able to add additional settings, remove the default settings, or both. If you disable this policy setting, the computer will ... oval:org.secpod.oval:def:56268 This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. Note: If you want to limit the size of an individual user profile, use th ... oval:org.secpod.oval:def:56212 Prevents printing to Journal Note Writer. If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. If you disable this policy, you will be able to use this fea ... oval:org.secpod.oval:def:56208 This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prev ... oval:org.secpod.oval:def:56220 Specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this setting, the task Order Prints Online is removed from Picture Tasks i ... oval:org.secpod.oval:def:56222 The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\ Parameters\ registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS ser ... oval:org.secpod.oval:def:56215 This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain ... oval:org.secpod.oval:def:56400 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... oval:org.secpod.oval:def:56405 If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if the Do not allow sessions without mutual CHAP setting is enabled th ... oval:org.secpod.oval:def:56403 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user&apos; ... oval:org.secpod.oval:def:56074 This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer. The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the properties for the organization by using Group P ... oval:org.secpod.oval:def:56073 This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string r ... oval:org.secpod.oval:def:56071 This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equiva ... oval:org.secpod.oval:def:56078 This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes ... oval:org.secpod.oval:def:56077 This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. Port numbers should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a TCP port number. As an ... oval:org.secpod.oval:def:56076 This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the f ... oval:org.secpod.oval:def:56075 This settings lets you configure the script execution policy, controlling what scripts are allowed to run. If you enable this setting, the scripts selected in the drop down list will be allowed to run. The Allow only signed scripts setting allows script to execute only if they are signed by a trus ... oval:org.secpod.oval:def:56079 This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be ... oval:org.secpod.oval:def:56080 This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The Allow certificate-based data recovery agent check box is used to specify whe ... oval:org.secpod.oval:def:56084 This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the antimalware service will load as a normal priority task. If you disable th ... oval:org.secpod.oval:def:56089 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user&apos;s default credentials can be deleg ... oval:org.secpod.oval:def:56097 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). If you enable this policy setting you can specify the servers to which the user&apos;s saved credentials can NOT be delegated (saved credentials are those that you elect to save/remember usi ... oval:org.secpod.oval:def:56392 Adjusts password security settings in Tablet PC Input Panel. These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. Tablet PC Input ... oval:org.secpod.oval:def:56391 This policy setting allows a Password Synchronization administrator to configure the interval, in seconds, between synchronization retries in the event that a synchronization attempt fails. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Password Synchronization!S ... oval:org.secpod.oval:def:56390 Enter '0' to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive deskto ... oval:org.secpod.oval:def:56155 This policy setting allows you to remove the Disconnect option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. If you enable this p ... oval:org.secpod.oval:def:56152 Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This behavior is consistent with Windows Vista&apos;s behavior in this scenario. ... oval:org.secpod.oval:def:56399 Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. If you enable this setting, the user will ... oval:org.secpod.oval:def:56176 The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to Do ... oval:org.secpod.oval:def:56175 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including g ... oval:org.secpod.oval:def:56179 This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be allo ... oval:org.secpod.oval:def:56181 This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. If you disable or do not configure this policy setting, you allow users to change the default window frame color. Note: ... oval:org.secpod.oval:def:56185 This policy setting controls the Start background visuals. If you enable this policy setting, the Start background will use a solid color. If you disable or do not configure this policy setting, the Start background will use the default visuals. Note: If this policy setting is enabled, users can ... oval:org.secpod.oval:def:56111 Prevent the Start layout group from syncing to and from this PC. This turns off and disables the Start layout group on the sync your settings page in PC settings. If you enable this policy setting, the Start layout group will not be synced. Use the option Allow users to turn start ... oval:org.secpod.oval:def:56357 This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all stand ... oval:org.secpod.oval:def:56108 Specifies whether or not the local access only network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. If you disable this setting or do not configure it, the local access only icon w ... oval:org.secpod.oval:def:56348 This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Ser ... oval:org.secpod.oval:def:56105 Set the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this setting, set the amount of seconds you want the system to wait until a reboot. If you disable or do not configure this setting, the s ... oval:org.secpod.oval:def:56347 This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. If you enable this setting, all the AppID in the list are pinned to Start. If you disable or do not configure this setting, no apps are specifically pinned to Start. Fix: (1) GPO: Computer C ... oval:org.secpod.oval:def:56363 This setting determines the behavior of the Windows Error Reporting queue. If Queuing behavior is set to Default, Windows will decide each time a problem occurs whether the report should be queued or the user should be prompted to send it immediately. If Queuing behavior is set to Always queue, all ... oval:org.secpod.oval:def:56362 Prevent syncing to and from this PC. This turns off and disables the sync your settings switch on the sync your settings page in PC Settings. If you enable this policy setting, sync your settings will be turned off, and none of the sync your setting groups will be synced on this PC. Use the option ... oval:org.secpod.oval:def:56367 This policy setting allows you to specify KDC proxy servers for DNS suffix names. If you enable this policy setting, you can view and change the list of proxy servers configured for DNS suffix names as defined by Group Policy. To view the list of mappings, enable the policy setting and then click t ... oval:org.secpod.oval:def:56124 This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy ... oval:org.secpod.oval:def:56119 Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection f ... oval:org.secpod.oval:def:56118 This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens. If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received ... oval:org.secpod.oval:def:56116 This policy setting controls whether the lock screen appears for users. If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. If you disable or do not configure this policy setting, users tha ... oval:org.secpod.oval:def:56128 When running in restricted mode, participating apps do not expose credentials to remote computers (regardless of the delegation method). Restricted mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated. Participating ... oval:org.secpod.oval:def:56369 Prevent the Other Windows settings group from syncing to and from this PC. This turns off and disables the Other Windows settings group on the sync your settings page in PC settings. If you enable this policy setting, the Other Windows settings group will not be synced. Use the option Allow users ... oval:org.secpod.oval:def:56380 This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the Prevent installation of devices not described by other policy settings policy setting is enabled. Ot ... oval:org.secpod.oval:def:56144 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:56385 This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Gr ... oval:org.secpod.oval:def:56388 Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed. If the status is set to Disabled or Not C ... oval:org.secpod.oval:def:56387 Prevents the user from launching an application from a Tablet PC hardware button. If you enable this policy, applications cannot be launched from a hardware button, and Launch an application is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons ta ... oval:org.secpod.oval:def:56306 This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to ... oval:org.secpod.oval:def:56308 This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system ... oval:org.secpod.oval:def:56307 This policy setting allows you to configure how the computer&apos;s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protecti ... oval:org.secpod.oval:def:56323 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip \Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 i ... oval:org.secpod.oval:def:56317 This policy setting prevents redirection of specific USB devices. If you enable this setting, an alternate driver for the USB device cannot be loaded. If you disable or do not configure this setting, an alternate driver for the USB device can be loaded. Fix: (1) GPO: Computer Configuration\Admin ... oval:org.secpod.oval:def:56319 Determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance p ... oval:org.secpod.oval:def:56333 Determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is re ... oval:org.secpod.oval:def:56100 Turns off Routinely Taking Action. This policy setting allows you to configure whether Windows Defender will automatically take action on all detected threats. The action to be taken on a particular threat will be determined by the combination of the policy-defined action, user-defined action and t ... oval:org.secpod.oval:def:56341 The Persistent System Timestamp allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this setting, the Persistent System Timestamp will be refreshed according to the Timestamp Interval. If ... oval:org.secpod.oval:def:56345 Specifies the Start screen layout for users. This setting lets you specify the Start screen layout for users and prevents them from changing its configuration. The Start screen layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. To use t ... oval:org.secpod.oval:def:56102 Prevent the AppSync group from syncing to and from this PC. This turns off and disables the AppSync group on the sync your settings page in PC settings. If you enable this policy setting, the AppSync group will not be synced. Use the option Allow users to turn app syncing on so that syncing it tur ... oval:org.secpod.oval:def:56344 This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting is configured. The naming format for servers on this exception list is ... oval:org.secpod.oval:def:56101 Enables or disables the automatic download of app updates on PCs running Windows 8. If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. If you don&apos;t configure this setting, the a ... oval:org.secpod.oval:def:56336 This policy setting specifies whether Remote Desktop Services retains a user&apos;s per-session temporary folders at logoff. You can use this setting to maintain a user&apos;s session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remo ... oval:org.secpod.oval:def:56300 This policy setting allows you to configure how the computer&apos;s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protecti ... oval:org.secpod.oval:def:56612 This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy s ... oval:org.secpod.oval:def:56470 Prevents press and hold actions on hardware buttons, so that only one action is available per button. If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: Some settings are controlled by Group Policy. If a setting i ... oval:org.secpod.oval:def:56482 Determines the execution level for Diagnostic Policy Service (DPS) scenarios. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root caus ... oval:org.secpod.oval:def:56489 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this ... oval:org.secpod.oval:def:56488 This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access will be denied to these removable storage classes. If you disable or do not configure this policy setting, read access will be allowed to these removable storage classes. Fi ... oval:org.secpod.oval:def:56486 Disables visual pen action feedback, except for press and hold feedback. If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. If you disable or do not configure this policy, v ... oval:org.secpod.oval:def:56479 Specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. If you enable this setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be sig ... oval:org.secpod.oval:def:56491 This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose DLL load failures in programs. If you enable this policy setting, the PCA detects programs trying load legacy Microsoft Windows DLLs that are removed in this version of Windows. When this failure is detec ... oval:org.secpod.oval:def:56498 Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcut ... oval:org.secpod.oval:def:56497 Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default ... oval:org.secpod.oval:def:56676 If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Action Center control panel. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Error Report ... oval:org.secpod.oval:def:56433 This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) In order to view available Web Services printers o ... oval:org.secpod.oval:def:56425 This policy setting determines the Domain Name System (DNS) suffix devolution level that DNS clients will use, if the clients perform primary DNS suffix devolution in a name resolution process. When DNS suffix devolution is enabled, the leftmost label of a primary DNS suffix is dropped on each succe ... oval:org.secpod.oval:def:56429 This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The Allow data recovery agent check box is used to specify whether a data recovery agent can b ... oval:org.secpod.oval:def:56679 This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. If y ... oval:org.secpod.oval:def:56677 This policy setting allows you to configure the recovery behavior for corrupted files to one of three states: Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system ... oval:org.secpod.oval:def:56439 Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the Point and Print Restrictions policy that governs the ... oval:org.secpod.oval:def:56693 This policy setting removes the Work offline command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the Work offline command is not displayed in Windows Explorer. If you disable or do not configure ... oval:org.secpod.oval:def:56692 This policy setting determines whether to require domain users to elevate when setting a network&apos;s location. If you enable this policy setting, domain users must elevate when setting a network&apos;s location. If you disable or do not configure this policy setting, domain users can se ... oval:org.secpod.oval:def:56456 This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an e ... oval:org.secpod.oval:def:56454 This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. Logging will be limited to not more often than one event per the defined interval. The interval value is defined in minutes. The default interval is 60 minut ... oval:org.secpod.oval:def:56453 This policy setting allows you to control what information is shared with Bing in Search. If you enable this policy setting, you can specify one of four settings, which users won&apos;t be able to change: -User info and location: Share a user&apos;s search history, some Microsoft accou ... oval:org.secpod.oval:def:56447 This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this policy setting, you can specify one of three SafeSearch settings, which users won&apos;t be able to change: -Strict: Filter out adult text, images, and videos from se ... oval:org.secpod.oval:def:56462 This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representa ... oval:org.secpod.oval:def:56461 This policy setting configures the time in minutes before a detection in the 'critically failed' state to moves to either the 'additional action' state or the 'cleared' state. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Reporting!Configure time ... oval:org.secpod.oval:def:56464 Determines whether scheduled diagnostics will run to proactively detect and resolve system problems. If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be ... oval:org.secpod.oval:def:56627 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:56642 Prevent the browser group from syncing to and from this PC. This turns off and disables the browser group on the sync your settings page in PC settings. The browser group contains settings and info like history and favorites. If you enable this policy setting, the browser group, including info like ... oval:org.secpod.oval:def:56641 Prevent the personalize group from syncing to and from this PC. This turns off and disables the personalize group on the sync your settings page in PC settings. If you enable this policy setting, the personalize group will not be synced. Use the option Allow users to turn personalize syncing on so ... oval:org.secpod.oval:def:56635 This policy setting configures how Windows Search adds shared folders to the search index. If you enable this policy setting, Windows Search is prevented from automatically adding shared folders to the index. Windows Search does not automatically add shares created on the computer to the scope of t ... oval:org.secpod.oval:def:56633 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user&apos; ... oval:org.secpod.oval:def:56412 Determines the execution level for Windows System Responsiveness Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows System Respon ... oval:org.secpod.oval:def:56665 Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. If you enable this setting, the user will not be able to change the look of their start menu backgro ... oval:org.secpod.oval:def:56658 This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit and block events are recorded on this computer in th ... oval:org.secpod.oval:def:56415 This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When G ... oval:org.secpod.oval:def:56413 The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE. The default exemptions to ... oval:org.secpod.oval:def:56419 Switches the gesture set used for editing from the common handheld computer gestures to the Simplified Chinese (PRC) standard gestures. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. ... oval:org.secpod.oval:def:56417 This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. This policy setting only applies to Enhanced Storage devices that support a Certificate Authentication Silo. If you enable this policy setting, only Enhan ... oval:org.secpod.oval:def:56720 This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The Allow data recovery agent check box is used to specify whether a data recovery agent can be us ... oval:org.secpod.oval:def:56710 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:56715 This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. This policy setting allows you to set the encryption types that Kerberos is allowed to use. Fix: (1) GPO: Computer Configuration\W ... oval:org.secpod.oval:def:56714 This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose DLL load or COM object creation failures in programs. If you enable this policy setting, the PCA detects programs trying to create legacy COM objects that are removed in this version of Windows. When this ... oval:org.secpod.oval:def:56719 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). If you enable this policy setting you can specify the servers to which the user&apos;s fresh credentials can NOT be delegated (fresh credentials are those that you are prompted for when exec ... oval:org.secpod.oval:def:56718 This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it&apos;s connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network healt ... oval:org.secpod.oval:def:56723 Specifies whether to show the Did you know? section of Help and Support Center. This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. If you enable this setting, the Help an ... oval:org.secpod.oval:def:56721 If enabled, Search and Indexing Options in Control Panel does not allow opening the Advanced Options dialog. Otherwise it can be opened. Disabled by default. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search!Prevent displaying advanced indexing options in Cont ... oval:org.secpod.oval:def:56598 Makes pen flicks learning mode unavailable. If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in ... oval:org.secpod.oval:def:56553 This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the valu ... oval:org.secpod.oval:def:56552 This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by d ... oval:org.secpod.oval:def:56548 This policy setting allows you to improve performance in low bandwidth scenarios. This setting is incrementally scaled from No optimization to Full optimization. Each incremental setting includes the previous optimization setting. For example: Turn off background will include the following optimi ... oval:org.secpod.oval:def:56562 This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after a specified number of minutes when you next start the ... oval:org.secpod.oval:def:56566 This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: {\\unc1 | \\unc2 }. ... oval:org.secpod.oval:def:56564 This policy setting allows you to define the number of days after which a catch-up definition update will be required. By default, the value of this setting is 1 day. If you enable this setting, a catch-up definition update will occur after the specified number of days. If you disable or do not co ... oval:org.secpod.oval:def:56559 This policy setting allows you to configure definition updates when the computer is running on battery power. If you enable or do not configure this setting, definition updates will occur as usual regardless of power state. If you disable this setting, definition updates will be turned off while t ... oval:org.secpod.oval:def:56556 This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setting, words that only differ in diacritics are treated as different words. If you disable this policy setting, words with diacritics and words without diacritics are treat ... oval:org.secpod.oval:def:56573 This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as: 1 - Error 2 - Warning 3 - Info 4 - Debug If you enable this setting, you can configure the WPP Software Tracing level. If you disable this setting, you ... oval:org.secpod.oval:def:56572 This policy setting configures the time in minutes before a detection in the additional action state moves to the cleared state. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Reporting!Configure time out for detections requiring additional action ... oval:org.secpod.oval:def:56570 This policy setting configures the time in minutes before a detection in the non-critically failed state moves to the cleared state. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Reporting!Configure time out for detections in non-critical failed ... oval:org.secpod.oval:def:56576 This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule ... oval:org.secpod.oval:def:56574 This policy configures Windows software trace preprocessor (WPP Software Tracing) components. If you enable this setting, you can configure the Windows software trace preprocessor components. If you disable this setting, you cannot configure the Windows software trace preprocessor components. Fi ... oval:org.secpod.oval:def:56568 This policy setting configures the time in minutes before a detection in the completed state moves to the cleared state. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Reporting!Configure time out for detections in recently remediated state (2) R ... oval:org.secpod.oval:def:56580 This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule i ... oval:org.secpod.oval:def:56588 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user&apos; ... oval:org.secpod.oval:def:56506 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user&apos;s fresh credentials can be delegat ... oval:org.secpod.oval:def:56514 Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: Local Link to a Local Target Local Link to a Remote Target Remote Link to Remote Target Remote Link to Local Target F ... oval:org.secpod.oval:def:56533 This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a ... oval:org.secpod.oval:def:56531 This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a w ... oval:org.secpod.oval:def:56530 Prevents the Tablet PC Input Panel from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or ... oval:org.secpod.oval:def:56540 This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If you enable this setting, checks for definition updates will occ ... oval:org.secpod.oval:def:56537 This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day (default) (0x1) Sunday (0x2) Mon ... oval:org.secpod.oval:def:56536 This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: 'InternalDefinitionUpdateServer', 'Micr ... oval:org.secpod.oval:def:56534 This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the Kerberos client will search the forests in this list if it is unable to resolve a two-part SPN. If a ... oval:org.secpod.oval:def:56538 This policy setting allows you to specify the time of day at which to check for definition updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for definition updates 1 ... oval:org.secpod.oval:def:56840 This policy setting allows you to manage whether HotStart buttons can be used to launch applications. If you enable this policy setting, applications cannot be launched using the HotStart buttons. If you disable or do not configure this policy setting, applications can be launched using the HotSta ... oval:org.secpod.oval:def:56832 This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to th ... oval:org.secpod.oval:def:56838 This policy prevents a shortcut icon for the Player from being added to the user&apos;s desktop. When this policy is not configured or disabled, users can choose whether to add the Player shortcut icon to their desktops. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Co ... oval:org.secpod.oval:def:56837 Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel tab will not appea ... oval:org.secpod.oval:def:56835 This policy setting allows you to manage whether Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determin ... oval:org.secpod.oval:def:56839 This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in t ... oval:org.secpod.oval:def:56850 The Display warning message before sharing control policy setting allows you to specify a custom message to display before a user shares control of his or her computer. The Display warning message before connecting policy setting allows you to specify a custom message to display before a user allow ... oval:org.secpod.oval:def:56845 Prevents video smoothing from occurring. This policy prevents video smoothing, which can improve video playback on computers with limited resources, from occurring. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not avail ... oval:org.secpod.oval:def:56860 This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this setting, window animations will be turned off. If you disable or do not configure this setting, window animations will be turned on. Changing ... oval:org.secpod.oval:def:56853 This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this pol ... oval:org.secpod.oval:def:56801 This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 Wi-Fi, through the Windows Portable Device API (WPD), and via USB Flash drives. Additiona ... oval:org.secpod.oval:def:56812 This policy setting allows you to control a user&apos;s ability to invoke a computer policy refresh. If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. If you ... oval:org.secpod.oval:def:56816 This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Win ... oval:org.secpod.oval:def:56818 Prevent the passwords group from syncing to and from this PC. This turns off and disables the passwords group on the sync your settings page in PC settings. If you enable this policy setting, the passwords group will not be synced. Use the option Allow users to turn passwords syncing on so that sy ... oval:org.secpod.oval:def:56871 This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. If you disable or do not configure this setting, items will be kept in ... oval:org.secpod.oval:def:56882 This policy setting allows a Server for NIS administrator to configure an update interval for pushing Network Information Service (NIS) maps to NIS subordinate servers. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Server for NIS!Set the map update interval for N ... oval:org.secpod.oval:def:56878 Prevents start of Windows Journal. If you enable this policy, the Windows Journal accessory will not run. If you disable this policy, the Windows Journal accessory will run. If you do not configure this policy, the Windows Journal accessory will run. Fix: (1) GPO: Computer Configuration\Adminis ... oval:org.secpod.oval:def:56876 Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores ... oval:org.secpod.oval:def:56879 This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a pa ... oval:org.secpod.oval:def:56891 This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. If you enable this setting, archive files less than ... oval:org.secpod.oval:def:56890 This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For ... oval:org.secpod.oval:def:56895 This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. If ... oval:org.secpod.oval:def:56889 This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting ... oval:org.secpod.oval:def:56888 This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLock ... oval:org.secpod.oval:def:56886 This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesd ... oval:org.secpod.oval:def:56899 Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/ ... oval:org.secpod.oval:def:56898 This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains ... oval:org.secpod.oval:def:56950 This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day ... oval:org.secpod.oval:def:56944 This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or w ... oval:org.secpod.oval:def:56943 This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do ... oval:org.secpod.oval:def:56947 This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading ... oval:org.secpod.oval:def:56946 This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure this setting, raw write notifications will be enabled. If you disable this setting, raw write notifications be disabled. Fix: (1) GPO: Computer Configuration\Adm ... oval:org.secpod.oval:def:56945 This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose Allow users to apply BitLocker protectio ... oval:org.secpod.oval:def:56961 This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client&apos;s Third- ... oval:org.secpod.oval:def:56960 Flip3D is a 3D window switcher. If you enable this setting, Flip3D will be inaccessible. If you disable or do not configure this policy setting, Flip3D will be accessible, if desktop composition is turned on. Changing this setting will require a logoff for it to be applied. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:56953 This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be ... oval:org.secpod.oval:def:56973 This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with programs under User Account Control (UAC). If you enable this policy setting, the PCA detects programs that failed to launch child processes that are installers (typically updaters). When this failure ... oval:org.secpod.oval:def:56966 Driver compatibility settings. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Device and Driver Compatibility!Driver compatibility settings (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDriverShims oval:org.secpod.oval:def:56965 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and ... oval:org.secpod.oval:def:56967 This policy restricts users on a machine to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will b ... oval:org.secpod.oval:def:56980 This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Win ... oval:org.secpod.oval:def:56982 Prevents the snipping tool from running. If you enable this policy setting, the Snipping Tool will not run. If you disable this policy setting, the Snipping Tool will run. If you do not configure this policy setting, the Snipping Tool will run. Fix: (1) GPO: Computer Configuration\Administrativ ... oval:org.secpod.oval:def:56979 Determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Perfo ... oval:org.secpod.oval:def:56978 This setting controls the behavior of the Windows Error Reporting archive. If Archive behavior is set to Store all, all data collected for each report will be stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for a ... oval:org.secpod.oval:def:56902 This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2 = Full Scan If you enable this setting, the scan type will be set to the specified value. If you disable or do not configure this setting, the default scan type ... oval:org.secpod.oval:def:56908 If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days. The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer ru ... oval:org.secpod.oval:def:56909 This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains t ... oval:org.secpod.oval:def:56910 This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy sett ... oval:org.secpod.oval:def:56914 This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line mpcmdrun -SigUpdate, but it has no effect on scans initiated manually from the user interface. If you ... oval:org.secpod.oval:def:56912 This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authenti ... oval:org.secpod.oval:def:56935 This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. If you disable or do not configure this setting, a default size will b ... oval:org.secpod.oval:def:57001 This policy restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy does not change the existing system locale; however, the next time that an admin attempts to change the machine&apos;s system locale they w ... oval:org.secpod.oval:def:57006 This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the Operational Log located under the Applications and Services Log/Microsoft/Windows/NTLM. This policy sett ... oval:org.secpod.oval:def:57005 Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from hibernation, if there are updates scheduled for installation. Windows Update will only automatically wake up the system if Windows Update is configured to install updates aut ... oval:org.secpod.oval:def:57003 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). If you enable this policy setting you can specify the servers to which the user&apos;s default credentials can NOT be delegated (default credentials are those that you use when first logging ... oval:org.secpod.oval:def:57013 This policy setting allows you to control whether users see the first sign-in animation when signing in to the PC for the first time. If you enable this policy setting, users will see the animation. If you disable this policy setting, users will not see the animation. If you don&apos;t config ... oval:org.secpod.oval:def:57012 This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose failures with application installers that are not detected to run as administrator. If you enable this policy setting, the PCA is configured to detect application installers which do not have privileges t ... oval:org.secpod.oval:def:57017 This policy setting allows you to audit NTLM authentication in a domain from this domain controller. This policy is supported on at least Windows Server 2008 R2. Note: Audit events are recorded on this computer in the Operational Log located under the Applications and Services Log/Microsoft/Window ... oval:org.secpod.oval:def:57016 Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, ... oval:org.secpod.oval:def:57015 If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\iSCSI\iSCSI ... oval:org.secpod.oval:def:57007 This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. When the policy setting is enabled: -Windows XP and l ... oval:org.secpod.oval:def:57020 Determines the execution level for Windows Resource Exhaustion Detection and Resolution. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Re ... oval:org.secpod.oval:def:57018 Allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. This setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. When t ... oval:org.secpod.oval:def:56799 Enables installation, modification, and removal of Windows updates and optional components. If this service is disabled, install or uninstall of Windows updates might fail for this computer. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Modules Ins ... oval:org.secpod.oval:def:56993 Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Group Policy!Enable AD/DFS domain controller synchronization during policy re ... oval:org.secpod.oval:def:56746 This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. ... oval:org.secpod.oval:def:56986 This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which server roles and features are installed and configured on the specified server. Server Manager also monitors the status of roles and features insta ... oval:org.secpod.oval:def:56999 This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SM ... oval:org.secpod.oval:def:56756 This is a machine-specific setting which applies to any user who logs onto the specified machine while this policy is in effect. This policy is in effect when a network folder is determined, as specified by the ?Configure slow-link mode? policy, to be in 'slow-link? mode. For network folders in sl ... oval:org.secpod.oval:def:56997 Prevent the app settings group from syncing to and from this PC. This turns off and disables the app settings group on the sync your settings page in PC settings. If you enable this policy setting, the app settings group will not be synced. Use the option Allow users to turn app settings syncing o ... oval:org.secpod.oval:def:56754 This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might ... oval:org.secpod.oval:def:56996 This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier speci ... oval:org.secpod.oval:def:56780 This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color will be used in glass window frames, if the user has not specified a color. If you disable or do not configure this pol ... oval:org.secpod.oval:def:56784 This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this Group Policy setting to grant access to all the computers to particular use ... oval:org.secpod.oval:def:57082 This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access will be denied to these removable storage classes. If you disable or do not configure this policy setting, write access will be allowed to these removable storage classes. ... oval:org.secpod.oval:def:57087 Prevents media sharing from Windows Media Player. This policy prevents any user on this computer from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. When this policy is disabled or not configured, anyone using Windows Media Pla ... oval:org.secpod.oval:def:57046 This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated ... oval:org.secpod.oval:def:57044 This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the Operational Log located under the Applications and Services Log/Microsoft/Windows/NTLM. This pol ... oval:org.secpod.oval:def:57048 Makes pen flicks and all related features unavailable. If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray ic ... oval:org.secpod.oval:def:57060 The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose Always from the drop ... oval:org.secpod.oval:def:57062 This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Access-Denied Assistance!Enable access-denied assistance on client for all file types (2) REG: HKEY_LOCAL_MACHINE\ ... oval:org.secpod.oval:def:57075 Turns off Tablet PC hardware buttons. If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. If you do n ... oval:org.secpod.oval:def:57118 The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 re ... oval:org.secpod.oval:def:57141 Transfers files in the background using idle network bandwidth. If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to automatically download programs and other information. Fix: (1) GPO: Computer Configuration\Windows Setti ... oval:org.secpod.oval:def:57142 Enables a user connection request to be routed to the appropriate Remote Desktop Session Host server in a cluster. If this service is stopped, connection requests will be routed to the first available server. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!R ... oval:org.secpod.oval:def:57147 Do Not Show First Use Dialog Boxes This policy prevents the Privacy Options and Installation Options dialog boxes from being displayed the first time a user starts Windows Media Player. This policy prevents the dialog boxes which allow users to select privacy, file types, and other desktop options ... oval:org.secpod.oval:def:57151 Prevents users from being prompted to update Windows Media Player. This policy prevents the Player from being updated and prevents users with administrator rights from being prompted to update the Player if an updated version is available. The Check for Player Updates command on the Help menu in th ... oval:org.secpod.oval:def:57155 Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the ... oval:org.secpod.oval:def:57110 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. If you enable this set ... oval:org.secpod.oval:def:57161 This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user&apos;s saved credentials can be delegat ... oval:org.secpod.oval:def:57182 This policy setting allows an administrator to set the number of password synchronization retries that Password Synchronization can attempt, in the event a synchronization attempt fails. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Password Synchronization!Set t ... oval:org.secpod.oval:def:57190 The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. The DLL search order can be config ... oval:org.secpod.oval:def:57195 The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 ... oval:org.secpod.oval:def:57036 This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) If this setting is disabled, the network scan pa ... oval:org.secpod.oval:def:57220 This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled ... oval:org.secpod.oval:def:57217 This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of map ... oval:org.secpod.oval:def:57216 This policy setting controls configuring the device&apos;s Active Directory account for compound authentication. Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Dom ... oval:org.secpod.oval:def:82095 Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (in ... oval:org.secpod.oval:def:82089 Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 characters Maximum: 64 characters Default: 14 characters Passw ... oval:org.secpod.oval:def:85626 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the users account name or parts of the users full name that exceed two consecutive characters * Be at least six chara ... oval:org.secpod.oval:def:85624 This setting controls the maximum password age that a machine account may have. This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. Important This setting applies to Windows 2000 computers, but it is not available thr ... oval:org.secpod.oval:def:85615 This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. oval:org.secpod.oval:def:82103 Specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet ... oval:org.secpod.oval:def:82129 This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" ... oval:org.secpod.oval:def:85637 Simple TCP/IP Services must not be installed on the system. oval:org.secpod.oval:def:85632 Local volumes must be formatted using NTFS. oval:org.secpod.oval:def:85639 Windows Server 2019 must not have the Peer Name Resolution Protocol installed. oval:org.secpod.oval:def:85642 Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization. oval:org.secpod.oval:def:85623 The "Enforce user logon restrictions" policy should be set correctly. oval:org.secpod.oval:def:85628 To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requiremen ... oval:org.secpod.oval:def:85613 The 'Configure Windows NTP Client\NtpServer' option should be configured correctly. oval:org.secpod.oval:def:85616 This setting holds if we need to store passwords using reversible encryption. oval:org.secpod.oval:def:85643 Windows Server 2019 must not have the Fax Server role installed. oval:org.secpod.oval:def:85612 This policy setting allows users to have their feeds authenticated using the Basic authentication scheme over an unencrypted HTTP connection. If you enable this policy setting, the RSS Platform will authenticate to servers using the Basic authentication scheme in combination with an insecure HTTP c ... oval:org.secpod.oval:def:85621 The maximum tolerance for computer clock synchronization for Kerberos should be set appropriately. oval:org.secpod.oval:def:85620 The maximum lifetime for Kerberos user ticket renewal should be set appropriately. oval:org.secpod.oval:def:85635 Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Th ... oval:org.secpod.oval:def:85618 This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug programs, Enable computer and user accounts to be trusted for ... oval:org.secpod.oval:def:85630 The Windows PowerShell 2.0 feature must be disabled on the system. oval:org.secpod.oval:def:85644 The Microsoft Windows Server 2019 Operating System is at a supported servicing level. oval:org.secpod.oval:def:85629 To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs. oval:org.secpod.oval:def:85627 The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store on unclassified systems. oval:org.secpod.oval:def:85622 The maximum lifetime for Kerberos user tickets should be set appropriately. oval:org.secpod.oval:def:85636 Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Th ... oval:org.secpod.oval:def:85617 The "Maximum Service Ticket Lifetime" policy should be set correctly. oval:org.secpod.oval:def:85631 The Server Message Block (SMB) v1 protocol must be disabled on the system. oval:org.secpod.oval:def:85641 Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access. oval:org.secpod.oval:def:85614 Telnet Client is used to connect to remote machine by using the Telnet protocol. Telnet Client allows a computer to connect to a remote Telnet server and run applications on that server. Once logged on, a user is given a command prompt that can be used as if it had been opened locally on the Telnet ... oval:org.secpod.oval:def:85634 Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Th ... oval:org.secpod.oval:def:85638 Hides the Preview Pane in File Explorer. If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. Fix: (1) GPO: ... oval:org.secpod.oval:def:85633 Some protocols and services do not support required security features, such as encrypting passwords or traffic. oval:org.secpod.oval:def:85640 Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. oval:org.secpod.oval:def:56745 Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update ... oval:org.secpod.oval:def:57201 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Se ... oval:org.secpod.oval:def:56313 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. This option determines if this computer can receive unicast responses to multicast or broadcast messages that it initiates. Unsolicited unicast responses ar ... oval:org.secpod.oval:def:56797 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. This setting controls whether local administrators are allowed to create connection security rules that apply with other ... oval:org.secpod.oval:def:56609 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... oval:org.secpod.oval:def:56423 This setting lets you prevent users from selecting a network location for storing backups. If this setting is enabled, users will be blocked from selecting a network location as a backup location. If this setting is disabled or not configured, users can select a network location as a backup locati ... oval:org.secpod.oval:def:57097 This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require ... oval:org.secpod.oval:def:57024 This setting specifies whether the computer will act as a BITS peercaching server. By default, when BITS peercaching is enabled, the computer acts as both a peercaching server (offering files to its peers) and a peercaching client (downloading files from its peers). If you enable this setting, the ... oval:org.secpod.oval:def:56518 This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. If yo ... oval:org.secpod.oval:def:56941 This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting, a process scan will be initiated when real-time protection is ... oval:org.secpod.oval:def:56597 This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can crack passwords, the ... oval:org.secpod.oval:def:56736 The Kerberos Key Distribution Center service enables users to log on to the network and be authenticated by the Kerberos version 5 (v5) authentication protocol. As in other implementations of the Kerberos protocol, the Kerberos Key Distribution Center (KDC) is a single process that provides two ser ... oval:org.secpod.oval:def:56690 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... oval:org.secpod.oval:def:57035 Specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. If you disable this policy setting, the desktop background slideshow is disabled. if you do not configure this setting, users can see and change this sett ... oval:org.secpod.oval:def:57037 This policy setting turns off Windows SideShow. If you enable this policy setting, the Windows SideShow Control Panel will be disabled and data from Windows SideShow-compatible gadgets (applications) will not be sent to connected devices. If you disable or do not configure this policy setting, Win ... oval:org.secpod.oval:def:56210 Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this polic ... oval:org.secpod.oval:def:56884 This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you disable ... oval:org.secpod.oval:def:56867 This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. This policy setting specifies whether the tasks Publish this file to the Web, Publish ... oval:org.secpod.oval:def:56806 This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevat ... oval:org.secpod.oval:def:56577 Windows Internet Name Service (WINS) enables NetBIOS name resolution. The presence of the WINS server(s) is crucial for locating the network resources identified by using NetBIOS names. WINS servers are required unless all domains have been migrated to Active Directory and all servers on the network ... oval:org.secpod.oval:def:56926 This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned. Fix: (1) GPO: Computer Configuration\Administrative Templates ... oval:org.secpod.oval:def:56901 This policy setting prohibits access to Windows Connect Now (WCN) wizards. If this policy setting is enabled, the wizards are disabled and users will have no access to any of the wizard tasks. All the configuration related tasks, including 'set up a wireless router or access point' and 'Add a wirele ... oval:org.secpod.oval:def:57162 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ... oval:org.secpod.oval:def:57139 This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. When configuring a user ri ... oval:org.secpod.oval:def:56481 This policy setting determines whether Windows PowerShell scripts will run before non-PowerShell scripts during user logon and logoff. By default, PowerShell scripts run after non-PowerShell scripts. If you enable this policy setting, within each applicable Group Policy object (GPO), PowerShell scr ... oval:org.secpod.oval:def:56708 Enable this policy to prevent Windows Search from automatically adding shared folders to the index. If enabled, Windows Search will not automatically add shares created on the computer to the scope of the index. If not configured or disabled, Windows Search will monitor which folders are shared or u ... oval:org.secpod.oval:def:56921 This policy setting allows you to minimize the risk involved when a packaged app launches the default app for a file. Because desktop apps run at a higher integrity level than packaged apps, there is a risk that a packaged app could compromise the system by launching a file in a desktop app. If you ... oval:org.secpod.oval:def:57126 Requirements: At least Windows 7 Description: This policy setting controls whether users can access the options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image. If you enable or do not configure this policy setting, the items ... oval:org.secpod.oval:def:57137 Helps the computer run more efficiently by optimizing files on storage drives. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Optimize drives (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\defragsvc!Start oval:org.secpod.oval:def:56131 This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC&apos;s network connectivity state cannot be changed without signing into Windows. If you disable or don&apos;t configure this poli ... oval:org.secpod.oval:def:56428 Windows infrastructure service that controls which background tasks can run on the system. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Background Tasks Infrastructure Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BrokerInfrastruc ... oval:org.secpod.oval:def:56859 This setting allows members of the Everyone group to run applications that are located in (or beneath) the Program Files folder. If you enable this setting, members of the Everyone group will be able to run applications that are located in (or beneath) the Program Files folder. If you disable this ... oval:org.secpod.oval:def:56490 This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the v ... oval:org.secpod.oval:def:56125 This policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended fo ... oval:org.secpod.oval:def:56804 This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. Note: The default account picture is stored at %PROGRAMDATA%\Mi ... oval:org.secpod.oval:def:56847 This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver ... oval:org.secpod.oval:def:56856 Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this po ... oval:org.secpod.oval:def:56557 This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable definitions that are causing false positive reports. You must have conf ... oval:org.secpod.oval:def:56443 Enables a Windows based computer to act as an NFS Server. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Server for NFS (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nfssvc!Start oval:org.secpod.oval:def:57101 The Diagnostic Service Host service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, some diagnostics will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Compu ... oval:org.secpod.oval:def:56758 This entry appears as MSS: (AutoShareServer) Enable Administrative Shares (not recommended except for highly secure environments) in the SCE. For additional information, see the Microsoft Knowledge Base article How to remove administrative shares in Windows Server 2008 at http://support.microsoft.c ... oval:org.secpod.oval:def:56669 Provides a network service that processes requests to simulate application of Group Policy settings for a target user or computer in various situations and computes the Resultant Set of Policy settings. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Resulta ... oval:org.secpod.oval:def:56798 This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to tre ... oval:org.secpod.oval:def:56959 This policy settings lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The c ... oval:org.secpod.oval:def:56068 Restricts the tool download policy for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems, MSDT may prompt the user to download additional tools for troubleshooting. These tools are required t ... oval:org.secpod.oval:def:56951 This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch keyboard (such as used by slates) is not available in the pre-boot environment where ... oval:org.secpod.oval:def:56355 This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. If this policy setting is enabled, when the computer has at least one active connection to the Internet, a new automatic connection attempt to the Internet ... oval:org.secpod.oval:def:56364 Enabling this policy allows indexing of items for online delegate mailboxes on a Microsoft Exchange server. This policy affects only delegate mailboxes that are online. Microsoft Outlook 2007 allows users to cache portions of delegate mailboxes locally (for example, contacts or a calendar). This pol ... oval:org.secpod.oval:def:56370 If enabled, the indexer pauses whenever the computer is running on battery. If disabled, the indexing follows the default behavior. Default is disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search!Prevent indexing when running on battery power to conserv ... oval:org.secpod.oval:def:57113 Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks. qWave enhances AV streaming performance and reliability by ensuring network quality-of-service (QoS) for AV applications. It provides mechanisms for admission cont ... oval:org.secpod.oval:def:56258 This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of servic ... oval:org.secpod.oval:def:56260 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options!Allow NTLM to fall back to NULL session when used with LocalS ... oval:org.secpod.oval:def:56072 This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a max ... oval:org.secpod.oval:def:56581 This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable this set ... oval:org.secpod.oval:def:56971 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication. If you enable this policy setting, the WinRM client will use CredSSP authentication. If you disable or do not configure this policy setting, then the WinRM cli ... oval:org.secpod.oval:def:56863 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Kerberos authentication directly. If you enable this policy setting, the Windows Remote Management (WinRM) client will not use Kerberos authentication directly. Kerberos may still be used if t ... oval:org.secpod.oval:def:57131 Specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this setting, the Choose a list of Internet Service Providers path in the Internet Connection Wizard will cause the wizard to exit. This prevents users fr ... oval:org.secpod.oval:def:57192 This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, ... oval:org.secpod.oval:def:56661 Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\File Explorer!Turn off Data Execution Prevention for Explorer (2) REG: HKEY_LOCAL_MACHINE\So ... oval:org.secpod.oval:def:56161 Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Power (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Curren ... oval:org.secpod.oval:def:56267 This policy setting allows you to minimize the risk involved when a packaged app launches the default app for a protocol. Because desktop apps run at a higher integrity level than packaged apps, there is a risk that a protocol launched by a packaged app could compromise the system by launching a des ... oval:org.secpod.oval:def:56855 This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. If you disable or do not configure this policy setting, file shortcut icons that use remote path ... oval:org.secpod.oval:def:56726 Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error rep ... oval:org.secpod.oval:def:56280 This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-on ... oval:org.secpod.oval:def:57138 This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, the hibernation file (Hiberfil.sys) is z ... oval:org.secpod.oval:def:56069 This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent mu ... oval:org.secpod.oval:def:57050 This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) cloud. This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client computer can detect other computers to initiate chat sess ... oval:org.secpod.oval:def:56842 This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. If you enable this policy setting, Remote Desktop Services uses the path specified in the Set path for Remote Desktop Services Roaming ... oval:org.secpod.oval:def:57133 The Active Directory Rights Management Service (AD RMS) logging service runs on each server in an AD RMS cluster and sends logging information to the logging database. This information is used by AD RMS to generate reports from within the Active Directory Rights Management Services console. Fix: ( ... oval:org.secpod.oval:def:56663 Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Filesy ... oval:org.secpod.oval:def:57163 This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don&apos;t interpret Window Scaling option correctly. If you do not configure th ... oval:org.secpod.oval:def:57183 This policy setting allows you to specify whether font smoothing is allowed for remote connections. Font smoothing provides ClearType functionality for a remote connection. ClearType is a technology for displaying computer fonts so that they appear clear and smooth, especially when you are using an ... oval:org.secpod.oval:def:57040 This policy setting allows you to manage whether backups of a machine can run to an optical media or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to an optical media. If you disable or do not configure this policy set ... oval:org.secpod.oval:def:56223 Management Service for Remote Desktop Services Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Desktop Management (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RDMS!Start oval:org.secpod.oval:def:56045 Determines whether the DNS client performs primary DNS suffix devolution in a name resolution process. When a user submits a query for a single-label name, such as example, a local DNS client attaches a suffix, such as microsoft.com, resulting in the query example.microsoft.com, before sending the ... oval:org.secpod.oval:def:56496 This policy setting allows you to specify whether desktop composition is allowed for remote desktop sessions. This policy setting does not apply to RemoteApp sessions. Desktop composition provides the user interface elements of Windows Aero, such as translucent windows, for remote desktop sessions. ... oval:org.secpod.oval:def:56216 Ignores Windows Logon Background. This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen will always attempt to load a custom background instead of the Windows-branded logon background. If you disable or do ... oval:org.secpod.oval:def:56091 This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop lic ... oval:org.secpod.oval:def:56787 This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. Fix: (1) GPO: (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!A ... oval:org.secpod.oval:def:57132 Simple TCP/IP Services implements support for the Echo, Discard, Character Generator, Daytime, and Quote of the Day protocols. Echo (port 7, RFC 862) This protocol echoes back data from any messages it receives on this server port. Echo can be useful as a network debugging and monitoring tool. Dis ... oval:org.secpod.oval:def:56434 This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. If you enable this policy setting, the system records an event when the user reaches their limit ... oval:org.secpod.oval:def:56771 Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Data Exchange Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\s ... oval:org.secpod.oval:def:56596 This policy controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. If this setting is enabled, the system does not create the named pipe remote shutdown i ... oval:org.secpod.oval:def:56762 Enables Network Access Protection (NAP) functionality on client computers. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Network Access Protection Agent (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\napagent!Start oval:org.secpod.oval:def:56233 Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, applications will be unable to access encrypted files. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Encrypting ... oval:org.secpod.oval:def:56159 This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be acc ... oval:org.secpod.oval:def:57109 The Message Queuing Triggers service provides a rule-based system to monitor messages that arrive in a Message Queuing service queue and, when the conditions of a rule are satisfied, invoke a COM component or a stand-alone executable program to process the message. The Message Queuing Triggers serv ... oval:org.secpod.oval:def:56903 This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly ... oval:org.secpod.oval:def:56678 Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. A value of 1 will disable delete notifications for all volumes. Fix: (1) GPO: Compu ... oval:org.secpod.oval:def:57186 This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Problem Reports and Solutions Control Panel Support (2) REG: ... oval:org.secpod.oval:def:56255 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over the ... oval:org.secpod.oval:def:56629 This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. ... oval:org.secpod.oval:def:57008 This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If you enable this policy setting, the Stored User Names and Passwords feature of Windows does not store passwords and credentials. ... oval:org.secpod.oval:def:56379 This policy setting allows users to patch elevated products. If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have ... oval:org.secpod.oval:def:57152 If this setting is enabled Windows Error Reporting events will not be logged to the system event log. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting!Disable Logging (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Er ... oval:org.secpod.oval:def:57205 Removes access to the performance center control panel OEM and Microsoft branding links. If you enable this setting, the OEM and Microsoft web links within the performance control panel page will not be displayed. The administrative tools will not be affected. If you disable or do not configure th ... oval:org.secpod.oval:def:57167 This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers bloc ... oval:org.secpod.oval:def:56512 This policy setting enables or disables an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. A listener may be automatic ... oval:org.secpod.oval:def:56542 This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely saves the user&apos;s credentials (including the user name, domain and encrypte ... oval:org.secpod.oval:def:56190 Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast ... oval:org.secpod.oval:def:56195 This setting lets you prevent users from selecting a local disk (internal or external) for storing backups. If this setting is enabled, the user will be blocked from selecting a local disk as a backup location. If this setting is disabled or not configured, users can select a local disk as a backu ... oval:org.secpod.oval:def:56757 Microsoft recommends that you use this setting, if appropriate to your environment and your organization&apos;s business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. ... oval:org.secpod.oval:def:57149 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Pri ... oval:org.secpod.oval:def:56877 By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this policy se ... oval:org.secpod.oval:def:56156 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ... oval:org.secpod.oval:def:56793 Provides services for quota and file screen management. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!File Server Resource Manager (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srmsvc!Start oval:org.secpod.oval:def:56381 This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session. If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used ... oval:org.secpod.oval:def:56615 This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by readi ... oval:org.secpod.oval:def:56893 If enabled, files on network shares made available offline are not indexed. Otherwise they are indexed. Disabled by default. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search!Prevent indexing files in offline files cache (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\P ... oval:org.secpod.oval:def:57226 KDC Proxy Server service runs on edge servers to proxy Kerberos protocol messages to domain controllers on the corporate network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!KDC Proxy Server service (KPS) (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro ... oval:org.secpod.oval:def:56865 This setting allows members of the local Administrators group to run all applications on computers, regardless of their location. If you enable this setting, members of the Administrators group will be able to run applications, regardless of their location. If you disable this setting, members of ... oval:org.secpod.oval:def:57076 Assigns computer resources to multiple applications running on Windows Server. If this service is stopped or disabled no management will occur, no accounting data will be collected, and the administrator will not be able to use command-line controls to administer WSRM. Fix: (1) GPO: Computer Confi ... oval:org.secpod.oval:def:56201 Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Confi ... oval:org.secpod.oval:def:56722 This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This ... oval:org.secpod.oval:def:56546 This setting lets you configure how domain joined client computers become workplace joined with domain users at your organization. If this setting is enabled, domain-joined client computers will automatically become workplace-joined upon domain user logon. Note: Additional requirements may apply o ... oval:org.secpod.oval:def:56592 Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Filesystem\NTFS!Do not allow encryption on all NTFS volumes (2) REG: HKEY_LOCAL ... oval:org.secpod.oval:def:56544 This policy setting allows you to manage where client computers search for Point and Printer drivers. If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local ... oval:org.secpod.oval:def:56660 This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user&apos;s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private d ... oval:org.secpod.oval:def:57039 Specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. Fix: (1) GPO: Computer Configuration\Administrative Templates\Network\DirectAccess Client Experie ... oval:org.secpod.oval:def:57213 This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they c ... oval:org.secpod.oval:def:56759 This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. If you enable this policy setting, the print spooler ... oval:org.secpod.oval:def:56093 This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. If you enable this policy setting, Windows is prevented from installing, or updating the device driver for, any device that is not described by either the Allow ins ... oval:org.secpod.oval:def:56541 This policy prevents users from changing their user geographical location (GeoID). If this policy is Enabled, then the user cannot change their geographical location (GeoID) If the policy is Disabled or Not Configured, then the user may select any GeoID. If this policy is Enabled at the Machine l ... oval:org.secpod.oval:def:56365 This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to ... oval:org.secpod.oval:def:56350 This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs ... oval:org.secpod.oval:def:56712 Enables this computer to serve as an iSCSI target. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Microsoft iSCSI Software Target (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinTarget!Start oval:org.secpod.oval:def:56861 Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting throu ... oval:org.secpod.oval:def:57223 Provides ordered execution for a group of threads within a specific period of time. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Thread Ordering Server (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\THREADORDER!Start oval:org.secpod.oval:def:56031 This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. ... oval:org.secpod.oval:def:56585 This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or comput ... oval:org.secpod.oval:def:57173 Manages the RPC name service database. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Procedure Call (RPC) Locator (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RpcLocator!Start oval:org.secpod.oval:def:56060 This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. If you enable this policy setting, users cannot see any previous versions co ... oval:org.secpod.oval:def:56924 This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy w ... oval:org.secpod.oval:def:57002 Determines if a computer performing dynamic registration may register A and PTR resource records with a concatenation of its Computer Name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its Computer Name and the Primary DNS suffix. Warning: En ... oval:org.secpod.oval:def:56774 If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established. Fix: (1) GPO: Computer Configuration\Administrative Templates\System ... oval:org.secpod.oval:def:56435 Loads files to memory for later printing Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Print Spooler (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler!Start oval:org.secpod.oval:def:56107 Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don&apos;t configure this setting, access to the Store application is allowed. Fix: (1) GPO: ... oval:org.secpod.oval:def:57056 This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a user right in the SCM ent ... oval:org.secpod.oval:def:56277 This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote clien ... oval:org.secpod.oval:def:56915 This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, users will not be able to pause sca ... oval:org.secpod.oval:def:56184 This policy setting affects the ability of users to install or uninstall color profiles. If you enable this policy setting, users will not be able to install new color profiles or uninstall previously installed color profiles. If you disable or do not configure this policy setting, all users will ... oval:org.secpod.oval:def:57058 Enables this server to be a File Transfer Protocol (FTP) server. If this service is stopped, the server cannot function as an FTP server. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settin ... oval:org.secpod.oval:def:56191 Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. By default, a maximum of twenty reconnection attempts are made at five second intervals. If the status is set to Enabled, auto ... oval:org.secpod.oval:def:56063 This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not ... oval:org.secpod.oval:def:56335 This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature will be turned off, and all programs on this computer will not be able to use the sensor feature. If you disable or do not configure this policy setting, all pr ... oval:org.secpod.oval:def:56457 This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, protocol recognition will be disabled. Fix: (1) GP ... oval:org.secpod.oval:def:56257 This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will not be ... oval:org.secpod.oval:def:56672 The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This ... oval:org.secpod.oval:def:57028 Specifies whether to automatically update root certificates using the Windows Update Web site. Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certific ... oval:org.secpod.oval:def:56241 Provides Image Management servicing for Hyper-V. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Image Management Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vhdsvc!Start oval:org.secpod.oval:def:57116 This service monitors the Windows software license state. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows License Monitoring Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WLMS!Start oval:org.secpod.oval:def:56984 Specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. If you disable this policy setting, the desktop background slideshow is disabled. if you do not configure this setting, users can see and change this sett ... oval:org.secpod.oval:def:57178 Performs TCP/IP configuration for DHCP clients, including dynamic assignments of IP addresses, specification of the WINS and DNS servers, and connection-specific DNS names. If this service is stopped, the DHCP server will not perform TCP/IP configuration for clients. If this service is disabled, any ... oval:org.secpod.oval:def:56312 This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). If you disable or do not configu ... oval:org.secpod.oval:def:56058 Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... oval:org.secpod.oval:def:56244 This policy setting allows you to configure the Family Safety feature. If you enable this policy setting, the Family Safety control panel is visible on a domain joined computer. If you disable or do not configure this policy setting, the Family Safety control panel is not visible on a domain joine ... oval:org.secpod.oval:def:56085 Tracks the last play time of games in the Games folder. If you enable this setting the last played time of games will not be recorded in Games folder. This setting only affects the Games folder. If you disable or do not configure this setting, the last played time will be displayed to the user. ... oval:org.secpod.oval:def:57104 Provides Hyper-V Networking WMI management. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Networking Management Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvspwmi!Start oval:org.secpod.oval:def:56554 This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, definition updates will be downloaded from Microsoft Update. If yo ... oval:org.secpod.oval:def:56796 Provides X.509 certificate and key management services for the Network Access Protection Agent (NAPAgent). Enforcement technologies that use X.509 certificates may not function properly without this service Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hea ... oval:org.secpod.oval:def:56276 Integrates disparate file shares into a single, logical namespace and manages these logical volumes. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!DFS Namespace (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dfs!Start oval:org.secpod.oval:def:57105 Cluster Service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that is as easy to use as a single computer. Managers see it as a single system, programmers see it as a single system, and users see it as a single system. The sof ... oval:org.secpod.oval:def:56662 Local Link Multicast Name Resolution (LLMNR) is a secondary name resolution protocol. Queries are sent over the Local Link, a single subnet, from a client machine using Multicast to which another client on the same link, which also has LLMNR enabled, can respond. LLMNR provides name resolution in sc ... oval:org.secpod.oval:def:56932 This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - H ... oval:org.secpod.oval:def:56638 This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be ... oval:org.secpod.oval:def:56957 Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses a ... oval:org.secpod.oval:def:56218 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... oval:org.secpod.oval:def:56892 This policy setting allows you to manage whether a user can run the Firefox web browser or not. This policy sets AppLocker rules to prevent users from running the Firefox web browser. If you enable this setting, users will be unable to run the Firefox web browser. If you disable or do not configur ... oval:org.secpod.oval:def:56044 This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: Auto ... oval:org.secpod.oval:def:56426 This setting allows you to remove access to Windows Update. If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the T ... oval:org.secpod.oval:def:57045 Determines whether the computer&apos;s shared printers can be published in Active Directory. If you enable this setting or do not configure it, users can use the List in directory option in the Printer&apos;s Properties&apos; Sharing tab to publish shared printers in Active Directory. ... oval:org.secpod.oval:def:56522 The Removable Storage service manages and catalogs removable media and operates automated removable media devices. This service maintains a catalog of information that identifies removable media that are used by your computer, including tapes and CDs. Applications such as Backup and Remote Storage u ... oval:org.secpod.oval:def:56199 Allows administrators to remotely access a command prompt using Emergency Management Services. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Special Administration Console Helper (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sacsvr!Start oval:org.secpod.oval:def:56169 This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the opera ... oval:org.secpod.oval:def:56321 This policy setting specifies whether BranchCache is enabled on the client computer. BranchCache reduces the utilization of the wide area network (WAN) links connecting branch offices to the data center or headquarters and increases access speeds for content that has already been downloaded into the ... oval:org.secpod.oval:def:56688 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Ad ... oval:org.secpod.oval:def:56290 This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that ar ... oval:org.secpod.oval:def:56740 Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, and log on to the network. If this service is stopped, these functions might be unavailable. If this service is disabled, any services ... oval:org.secpod.oval:def:56041 This policy setting turns off Windows Mobility Center. If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. If you disable this policy setting, the user i ... oval:org.secpod.oval:def:56224 The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the service is stopped or disabled, the settings will not be applied and applications and components will not be manageable through Group Policy. Any compon ... oval:org.secpod.oval:def:56440 Microsoft .NET Framework NGEN Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Microsoft .NET Framework NGEN v2.0.50727_I64 (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\clr_optimization_v2.0.50727_i64!Start oval:org.secpod.oval:def:56939 This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defen ... oval:org.secpod.oval:def:56768 Provides administrative services for IIS, for example configuration history and Application Pool account mapping. If this service is stopped, configuration history and locking down files or directories with Application Pool specific Access Control Entries will not work. Fix: (1) GPO: Computer Conf ... oval:org.secpod.oval:def:56288 Specifies whether Windows Media Center can run. If you enable this setting, Windows Media Center will not run. If you disable or do not configure this setting, Windows Media Center can be run. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Media Center!D ... oval:org.secpod.oval:def:56725 This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged ... oval:org.secpod.oval:def:56699 This setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000, Windows XP, Windows Server 2003, Window ... oval:org.secpod.oval:def:56411 You can configure this setting to enable the auditing of Lsass.exe so that you can evaluate feasibility of enabling LSA protection. You can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. While in the audit mode, the system will generate event l ... oval:org.secpod.oval:def:56248 This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. If you enable this policy setting ... oval:org.secpod.oval:def:56377 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\W ... oval:org.secpod.oval:def:57067 This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps pass phrase is a better term than password. In Microsoft Windows 2000 or later, ... oval:org.secpod.oval:def:56640 This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost ... oval:org.secpod.oval:def:56160 This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time ... oval:org.secpod.oval:def:56474 This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publisher ... oval:org.secpod.oval:def:57135 This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC&apos;s pre-boot environment only loads firmware that is digitally signed by authorized software publishers. S ... oval:org.secpod.oval:def:56591 The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when it is invoked during startup. This policy setting allows the administrator account to ... oval:org.secpod.oval:def:57014 This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant req ... oval:org.secpod.oval:def:56659 Turns off the solid state mode for the hybrid hard disks. If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. If you disable this policy setting, the system will store frequently written data into the non-vola ... oval:org.secpod.oval:def:56322 This policy setting allows you to specify whether remote users can start any program on the RD Session Host server when they start a Remote Desktop Services session, or whether they can only start programs that are listed in the RemoteApp Programs list. You can control which programs on an RD Sessi ... oval:org.secpod.oval:def:57053 Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. If you disable or don&apos;t configure this setting, Windows, when started from ... oval:org.secpod.oval:def:56064 Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed. When this policy is disabled or not configured, users will be able to add UN ... oval:org.secpod.oval:def:56936 This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local drives are shared they are left vulne ... oval:org.secpod.oval:def:56524 This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a f ... oval:org.secpod.oval:def:56494 This policy setting denies execute access to the CD and DVD removable storage class. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be allowed to this removable storage cl ... oval:org.secpod.oval:def:56421 This policy setting hides or displays the Advanced Options dialog for Search and Indexing Options in the Control Panel. If you enable this policy setting, the Advanced Options dialog for Search and Indexing Options in the Control Panel cannot be opened. If you disable or do not configure this poli ... oval:org.secpod.oval:def:57231 This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured ... oval:org.secpod.oval:def:56724 If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. Fix: (1) ... oval:org.secpod.oval:def:56246 The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keying modules are used for authentication and key exchange in Internet Protocol security (IPsec). Stopping or disabling the IKEEXT service will disable IKE and AuthIP key exch ... oval:org.secpod.oval:def:57218 This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable floppy media. If this policy setting is enabled and no one is logged on ... oval:org.secpod.oval:def:56028 Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents and forwards the messages to SNMP management programs running on this computer. If this service is stopped, SNMP-based programs on this computer will not receive SNMP trap messages. If this service i ... oval:org.secpod.oval:def:56810 Turns off the power save mode on the hybrid hard disks in the system. If you enable this policy, the disks will not be put into NV cache power save mode and no power savings would be achieved. If you disable this policy setting, then the hard disks are put into a NV cache power saving mode. In thi ... oval:org.secpod.oval:def:56354 This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings di ... oval:org.secpod.oval:def:57187 Synchronizes the system time of this virtual machine with the system time of the physical computer. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Time Synchronization Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmictimesy ... oval:org.secpod.oval:def:57069 Core Windows Service that manages local user sessions. Stopping or disabling this service will result in system instability. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Local Session Manager (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ ... oval:org.secpod.oval:def:56106 Allow applications and services to prevent automatic sleep. If you enable this policy setting, any application, service or device driver may prevent Windows from automatically transitioning to sleep after a period of user inactivity. If you disable this policy setting, applications, services or dr ... oval:org.secpod.oval:def:56225 This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expe ... oval:org.secpod.oval:def:56689 Enables the download, installation and enforcement of digital licenses for Windows and Windows applications. If the service is disabled, the operating system and licensed applications may run in a reduced function mode. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System ... oval:org.secpod.oval:def:57106 The Message Queuing service is a messaging infrastructure and development tool that can be used to create distributed messaging applications for Windows. Such applications can communicate across heterogeneous networks and send messages between computers that may be temporarily unable to connect to e ... oval:org.secpod.oval:def:56057 This policy setting allows you to monitor tickets issued during Kerberos authentication whose size is close to or greater than a configured threshold value. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit above which warnings ... oval:org.secpod.oval:def:56251 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not accept Negotiate authentication from a remote client. If you enable this policy setting, the WinRM service will not accept Negotiate authentication from a remote client. If you disable or do not ... oval:org.secpod.oval:def:56219 This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. If you disable or do not configure this policy setting, a password can be used to unlock an ... oval:org.secpod.oval:def:56623 Processes application compatibility cache requests for applications as they are launched Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Application Experience (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AeLookupSvc!Start oval:org.secpod.oval:def:56866 The policy controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. Switchback is on by default. If ... oval:org.secpod.oval:def:56065 Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seam ... oval:org.secpod.oval:def:56991 Defines whether a domain controller (DC) should attempt to verify with the PDC the password provided by a client if the DC failed to validate the password. Contacting the PDC is useful in case the client's password was recently changed and did not propagate to the DC yet. Users may want to disable ... oval:org.secpod.oval:def:57181 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches i ... oval:org.secpod.oval:def:56037 Determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine will validate the signer of any diagnostic package and only run those signed by trusted publishers. If you ... oval:org.secpod.oval:def:56781 This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications on the ... oval:org.secpod.oval:def:57021 When WDigest authentication is enabled, Lsass.exe retains a copy of the user&apos;s plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is not configured, WDigest authentication is disabled in ... oval:org.secpod.oval:def:56122 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any pl ... oval:org.secpod.oval:def:56551 This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (O ... oval:org.secpod.oval:def:56293 Receives activation requests over the net.pipe protocol and passes them to WPAS. .net framework 3.0 & Windows Process Activation Service. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Net.Pipe Listener Adapter (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Curren ... oval:org.secpod.oval:def:56817 This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of supported Plug and Play devices. Users can use the M ... oval:org.secpod.oval:def:56829 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Ad ... oval:org.secpod.oval:def:57029 Manages how Windows controls the setting that specifies how long a computer must be inactive before Windows turns off the computer's display. When this policy is enabled, Windows automatically adjusts the setting based on what users do with their keyboard or mouse to keep the display on. When this ... oval:org.secpod.oval:def:56121 This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client sett ... oval:org.secpod.oval:def:56622 Remote Desktop Configuration service (RDCS) is responsible for all Terminal Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, TS themes, and TS certificates. Fix: (1) GPO: Computer Configur ... oval:org.secpod.oval:def:56594 This setting controls the ability for users or administrators to remove Windows Installer based updates. This setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by ... oval:org.secpod.oval:def:56278 This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right in the SCM enter a comma delimited list of ... oval:org.secpod.oval:def:56226 This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that ... oval:org.secpod.oval:def:56561 This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service startup. If you disable this setting or do not configure this setting, a che ... oval:org.secpod.oval:def:56563 This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest definition update has definitions for a threat involving that file, the service will receive all o ... oval:org.secpod.oval:def:56703 Specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. When a user opens a file that has an extension that is not associated with any applications on the machine, the user is given the choice to choose a local application or ... oval:org.secpod.oval:def:56667 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure this poli ... oval:org.secpod.oval:def:56242 WinHTTP implements the client HTTP stack and provides developers with a Win32 API and COM Automation component for sending HTTP requests and receiving responses. In addition, WinHTTP provides support for auto-discovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (W ... oval:org.secpod.oval:def:56517 Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data. WPF applications will start this service if it is not already running. It can be disabled, though doing so will degrade the performance of WPF applications. Fix: (1) GPO: Computer Config ... oval:org.secpod.oval:def:56813 This policy setting prevents redirection of USB devices. If you enable this setting, an alternate driver for USB devices cannot be loaded. If you disable or do not configure this setting, an alternate driver for USB devices can be loaded. Fix: (1) GPO: Computer Configuration\Administrative Templ ... oval:org.secpod.oval:def:56700 Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user&apos;s Windows Marketplace Digital Locker. If you enable this s ... oval:org.secpod.oval:def:56331 Disables Hybrid Sleep. If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users can see and change this setting. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Power M ... oval:org.secpod.oval:def:56526 This policy setting allows you to manage whether the &apos;Install Updates and Shut Down&apos; option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Win ... oval:org.secpod.oval:def:56631 This policy setting allows you to restrict users to a single remote Remote Desktop Services session. If you enable this policy setting, users who log on remotely using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves t ... oval:org.secpod.oval:def:57172 The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in t ... oval:org.secpod.oval:def:56478 This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. If you enable this policy setting, the Restore button is disabled when the user selects ... oval:org.secpod.oval:def:57103 Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. If this service is stopped, error reporting might not work correctly and results of diagnostic services and repair ... oval:org.secpod.oval:def:56639 This policy setting controls whether users are shown an error dialog box that lets them report an error. If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is ... oval:org.secpod.oval:def:57177 The WebClient service allows Win32 applications to access documents on the Internet. The service extends the network capability of Windows; it allows standard Win32 applications to create, read, and write files on Internet file servers through the use of WebDAV, a file-access protocol that is descri ... oval:org.secpod.oval:def:56808 This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can&apos;t set up or sign in with a picture password. If you disable or don&apos;t configure this policy setting, a domain user can set up ... oval:org.secpod.oval:def:57143 Manages shadow copy of file shares taken by the VSS file server agent. If this service is stopped, file share shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Security S ... oval:org.secpod.oval:def:56883 If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Security! ... oval:org.secpod.oval:def:57061 Specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. If you enable this policy, such links are not rendered. The text is displayed but ... oval:org.secpod.oval:def:56885 This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, packed executables will not be scanned. Fix: ... oval:org.secpod.oval:def:56613 Manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices. If this service is stopped, this computer will not be able to login or access iSCSI targets. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer C ... oval:org.secpod.oval:def:56158 The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec ma ... oval:org.secpod.oval:def:56259 This policy setting allows you to specify whether users can redirect the remote computer&apos;s audio and video output in a Remote Desktop Services session. Users can specify where to play the remote computer&apos;s audio output by configuring the remote audio settings on the Local Resource ... oval:org.secpod.oval:def:56368 This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be displayed to the user when the user logs on with cached credenti ... oval:org.secpod.oval:def:56358 Allows you to specify that local computer administrators can supplement the Define Activation Security Check exemptions list. If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the Define Activation Security Check exemptions polic ... oval:org.secpod.oval:def:57070 Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN. If this service is disabled, users will not be able to use SSTP to access remote servers. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Secure Socket ... oval:org.secpod.oval:def:56318 This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only op ... oval:org.secpod.oval:def:56148 This service hosts the DS Role Server used for DC promotion, demotion, and cloning. If this service is disabled, these operations will fail. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!DS Role Server (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ ... oval:org.secpod.oval:def:56485 Specifies whether the Windows NTP Server is enabled. Enabling the Windows NTP Server allows your computer to service NTP requests from other machines. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers!Enable Windows NTP Server (2) REG: HKEY_L ... oval:org.secpod.oval:def:57197 Use this outbound rule to block IP protocol number 41. Use this outbound rule to blockIP protocol number 41. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules!Windows Firewall: Blo ... oval:org.secpod.oval:def:56196 Provides infrastructure support for Windows Store. This service is started on demand and if disabled applications bought using Windows Store will not behave correctly. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Store Service (WSService) (2) REG ... oval:org.secpod.oval:def:56099 Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest version ... oval:org.secpod.oval:def:57164 This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. If you enable this policy setting, Windows will always use automatic language detection to index (as it did in Windows 7). Using automatic language detection can increase me ... oval:org.secpod.oval:def:56043 If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. Note: if enabled there may be cases where this will break V ... oval:org.secpod.oval:def:56324 Management service for Hyper-V, provides service to run multiple virtual machines. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Virtual Machine Management Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmms!Start oval:org.secpod.oval:def:56493 This policy setting specifies whether a session uses the IP address of the Remote Desktop Session Host server if a virtual IP address is not available. If you enable this policy setting, the IP address of the RD Session Host server is not used if a virtual IP is not available. The session will not ... oval:org.secpod.oval:def:56444 This policy setting provides users with the ability to download their roaming profile, even when a slow network connection with their roaming profile server is detected. If you enable this policy setting, users will be allowed to define whether they want their roaming profile to be downloaded when ... oval:org.secpod.oval:def:56974 Device compatibility settings. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Device and Driver Compatibility!Device compatibility settings (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDeviceFlags oval:org.secpod.oval:def:56952 By default, Add features to Windows 8 is available for all administrators. If you enable this policy setting, the wizard will not run. If you disable this policy setting or set it to Not Configured, the wizard will run. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Compon ... oval:org.secpod.oval:def:56937 This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Component ... oval:org.secpod.oval:def:56940 Shows or hides hibernate from the power options menu. If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine&apos;s hardware). If you disable this policy setting, the hibernate option will never be shown in the ... oval:org.secpod.oval:def:56673 Verifies potential file system corruptions. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Spot Verifier (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\svsvc!Start oval:org.secpod.oval:def:56864 This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. If you enable this policy setting, the system records an event. If you disable this policy setting, no event is recorded. When you enable or disable ... oval:org.secpod.oval:def:56717 Enables and disables disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. If you enable this setting, disk quota management is enabled, and users cannot disable it. If you disable the setting, disk quota management is disabled, and users cannot e ... oval:org.secpod.oval:def:56938 This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments will be d ... oval:org.secpod.oval:def:56396 This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies KDC support for claims, compound authentication, and Kerberos armoring and ... oval:org.secpod.oval:def:56571 This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Compon ... oval:org.secpod.oval:def:56062 This policy setting allows you to turn logging on or off. Log files are located in the user&apos;s Documents folder under Remote Assistance. If you enable this policy setting, log files will be generated. If you disable this policy setting, log files will not be generated. If you do not confi ... oval:org.secpod.oval:def:56139 If enabled, clients will be unable to query this computer&apos;s index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer&apos;s index. Default is disabl ... oval:org.secpod.oval:def:56729 Provides DirectAccess status notification for UI components Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Network Connectivity Assistant (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NcaSvc!Start oval:org.secpod.oval:def:56543 This policy setting allows you to configure the automatic scan which starts after a definition update has occurred. If you enable or do not configure this setting, a scan will start following a definition update. If you disable this setting, a scan will not start following a definition update. F ... oval:org.secpod.oval:def:56814 This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be enumerat ... oval:org.secpod.oval:def:56243 The Diagnostic System Host service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, some diagnostics will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:56140 This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account to si ... oval:org.secpod.oval:def:57115 Disables a user notification when the battery capacity remaining equals the low battery notification level. If you enable this policy, Windows will not show a notification when the battery capacity remaining equals the low battery notification level. To configure the low battery notification level, ... oval:org.secpod.oval:def:56430 Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this policy setting is ... oval:org.secpod.oval:def:56632 This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit via group policy because domain c ... oval:org.secpod.oval:def:56150 Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Application Identity (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\App ... oval:org.secpod.oval:def:57034 Allow Automatic Sleep with Open Network Files. If you enable this policy setting, the computer will automatically sleep when network files are open. If you disable this policy setting, the computer will not automatically sleep when network files are open. Fix: (1) GPO: Computer Configuration\Adm ... oval:org.secpod.oval:def:56253 This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled. If you ... oval:org.secpod.oval:def:57080 This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Se ... oval:org.secpod.oval:def:57065 Provides services for configuration, scheduling, and generation of storage reports. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!File Server Storage Reports Manager (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srmreports!Start oval:org.secpod.oval:def:56846 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not configure ... oval:org.secpod.oval:def:56989 Directs the system to wait for the logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop. If you enable this setting, Windows Explorer does not start until the logon scripts have finished running. This setting ensures that logon script proce ... oval:org.secpod.oval:def:56881 This policy setting allows you to manage whether a user can run the Firefox web browser or not. This policy sets AppLocker rules to prevent users from running the Internet Explorer web browser. If you enable this setting, users will be unable to run the Internet Explorer web browser. If you disabl ... oval:org.secpod.oval:def:56279 Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any servi ... oval:org.secpod.oval:def:57033 Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client ... oval:org.secpod.oval:def:56930 Shows or hides sleep from the power options menu. If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine&apos;s hardware). If you disable this policy setting, the sleep option will never be shown in the Power Optio ... oval:org.secpod.oval:def:57153 Manages authentication, authorization, auditing, and accounting for virtual private network (VPN), dial-up, 802.1x wireless or Ethernet switch connection attempts sent by access servers that are compatible with the IETF RADIUS protocol. If this service is stopped, users might be unable to obtain a V ... oval:org.secpod.oval:def:57208 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall wi ... oval:org.secpod.oval:def:56134 This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to this removable storage class. Fi ... oval:org.secpod.oval:def:56271 This policy setting determines whether users&apos; private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provide a password 'distinct from their domain password' every time that they use a key, then it will be more difficu ... oval:org.secpod.oval:def:56424 Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fa ... oval:org.secpod.oval:def:56528 Provides content indexing and property caching for file, email and other content (via extensibility APIs). The service responds to file and email notifications to index modified content. If the service is stopped or disabled, the Explorer will not be able to display virtual folder views of items, an ... oval:org.secpod.oval:def:56476 This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. If you disable or do not configure thi ... oval:org.secpod.oval:def:57111 Enables Serverless Peer Name Resolution over the Internet. If disabled some Peer to Peer and Collaborative applications such as Windows Meetings may not work. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Peer Name Resolution Protocol (2) REG: HKEY_LOCAL_ ... oval:org.secpod.oval:def:56969 Checks for new signatures before running scheduled scans. If you enable this policy setting, the scheduled scan checks for new signatures before it scans the computer. If you disable or do not configure this policy setting, the scheduled scan begins without downloading new signatures. Fix: (1) G ... oval:org.secpod.oval:def:56473 This policy setting allows an administrator to configure extensive logging for computers that are running Server for Network Information Service (NIS). Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Server for NIS!Turn on extensive logging for Active Directory Do ... oval:org.secpod.oval:def:56142 Provides launch functionality for DCOM services. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!DCOM Server Process Launcher (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DcomLaunch!Start oval:org.secpod.oval:def:56748 This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A sy ... oval:org.secpod.oval:def:56765 Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Network Connections (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ser ... oval:org.secpod.oval:def:56928 This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be scanned. Fix: (1) GPO: Computer Con ... oval:org.secpod.oval:def:56716 This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used by any users on that machine. If you enable this policy setting, language packs that are installed as part of the system image will remain installed even if t ... oval:org.secpod.oval:def:56905 The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, c ... oval:org.secpod.oval:def:56126 This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. For local user accounts and domain user accounts in Microsoft Windows Server 2008 functional level domains, if you enable this setting, a message appears after the user ... oval:org.secpod.oval:def:56314 This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored. If the Audit: Audit the use of ... oval:org.secpod.oval:def:57212 This policy setting allows you to control whether a domain user can sign in using a PIN. If you enable this policy setting, a domain user can set up and sign in with a PIN. If you disable or don&apos;t configure this policy setting, a domain user can&apos;t set up and use a PIN. Note that ... oval:org.secpod.oval:def:56970 Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. If you enable this policy setting, Sound Recorder will not run. If you disab ... oval:org.secpod.oval:def:56265 This policy setting enables or disables an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. A listener may be automat ... oval:org.secpod.oval:def:56962 Allows you to disable System Restore. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. If you enable this setting, System Restore is turned off, a ... oval:org.secpod.oval:def:56409 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Use this option to log when Windows Firewall with Advanced Security allows ... oval:org.secpod.oval:def:56217 Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication pro ... oval:org.secpod.oval:def:57121 It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possibility of such an event, only administrators should be a ... oval:org.secpod.oval:def:56353 This policy allows you to prevent Windows from sending an error report when a device driver requests additional software during installation. If you enable this policy setting, Windows does not send an error report when a device driver that requests additional software is installed. If you disable ... oval:org.secpod.oval:def:56610 Provides a platform for communication between the virtual machine and the operating system running on the physical computer. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Remote Desktop Virtualization Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Cur ... oval:org.secpod.oval:def:56231 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy ... oval:org.secpod.oval:def:56327 This service logs unique client access requests in the form of IP addresses and user names of installed products and roles on the local server. This information can be queried via Powershell by administrators needing to quantify client demand of server software for offline Client Access License (CAL ... oval:org.secpod.oval:def:56646 Removes validated remote access clients from the quarantine network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Access Quarantine Agent (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\rqs!Start oval:org.secpod.oval:def:56567 Allows you to disable Windows Messenger. If you enable this setting, Windows Messenger will not run. If you disable or do not configure this setting, Windows Messenger can be used. Note: If you enable this setting, Remote Assistance also cannot use Windows Messenger. Note: This setting is availa ... oval:org.secpod.oval:def:56272 The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\ registry key. The entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE. ... oval:org.secpod.oval:def:57224 The IIS Admin Service allows administration of IIS components such as FTP, application pools, Web sites, Web service extensions, and both Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers. If you stop or disable this service, you will not be able to run W ... oval:org.secpod.oval:def:56647 Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Sett ... oval:org.secpod.oval:def:57215 This policy setting allows you to prevent AutoPlay from remembering user&apos;s choice of what to do when a device is connected. If you enable this policy setting, AutoPlay prompts the user to choose what to do when a device is connected. If you disable or do not configure ... oval:org.secpod.oval:def:56900 Enables a user connection request to be routed to the appropriate Remote Desktop Session Host server in a cluster. If this service is stopped, connection requests will be routed to the first available server. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!R ... oval:org.secpod.oval:def:56104 This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for ... oval:org.secpod.oval:def:56209 Microsoft Windows will always unload the users registry, even if there are any open handles to the per-user registry keys at user logoff. Using this policy setting, an administrator can negate this behavior, preventing Windows from forcefully unloading the users registry at user logoff. Note: This ... oval:org.secpod.oval:def:56026 This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can ... oval:org.secpod.oval:def:56234 Software Licensing service. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Software Licensing (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\slsvc!Start oval:org.secpod.oval:def:56228 Use this setting to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. On x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled ... oval:org.secpod.oval:def:56164 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... oval:org.secpod.oval:def:56117 Allows or denies development of Windows Store applications without installing a developer license. If you enable this setting and enable the Allow all trusted apps to install Group Policy, you can develop Windows Store apps without installing a developer license. If you disable or ... oval:org.secpod.oval:def:56674 Provides internal relational database services for use by Windows Server features and roles Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Internal Database (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSSQL$MICROSOFT##WID!Start oval:org.secpod.oval:def:56376 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Se ... oval:org.secpod.oval:def:56149 Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting clipboard data to and from the remote computer and the local co ... oval:org.secpod.oval:def:56038 This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. If you disable or do not configure this policy setting, Remote Desktop Protocol traf ... oval:org.secpod.oval:def:56728 Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API. Fix: ( ... oval:org.secpod.oval:def:56337 This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP. DEP is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. If you enable this policy setting, DEP for HTML Help Executable will be ... oval:org.secpod.oval:def:56820 The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locke ... oval:org.secpod.oval:def:56958 Server for NIS (UNIX-RPC) Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Server for NIS (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nissvc!Start oval:org.secpod.oval:def:56738 This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB) based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). When configuring a user right i ... oval:org.secpod.oval:def:56602 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and ... oval:org.secpod.oval:def:56819 This policy setting deletes all data stored on Windows SideShow-compatible devices (running Microsoft firmware) when a user logs off from the computer. This is a security precaution but it significantly limits the usefulness of the devices. If you enable this policy setting, all data stored on devi ... oval:org.secpod.oval:def:56356 By default, when a Peer Group is created that allows for password-authentication (or the password for such a Group is changed), Peer Grouping validates that the password meets the password complexity requirements for the local system. Thus, it will not allow any passwords to be used for a Peer Group ... oval:org.secpod.oval:def:56682 This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default settin ... oval:org.secpod.oval:def:56880 This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. If you disable or do not configure this policy setting, non-Enhanced Storag ... oval:org.secpod.oval:def:56343 Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen cam ... oval:org.secpod.oval:def:57098 This service provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If this service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service ... oval:org.secpod.oval:def:56925 Provides Software Licensing activation and notification. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!SL UI Notification Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SLUINotify!Start oval:org.secpod.oval:def:56330 This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. If this service is stopped or disabled event sub ... oval:org.secpod.oval:def:57042 This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the dr ... oval:org.secpod.oval:def:57176 This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. This policy setting determines whether the LDAP server requires a signature before it will negotiate with LDAP clients. Fix: (1) GPO: Computer Configurat ... oval:org.secpod.oval:def:56911 This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardless of this policy setting, a signed driver is still preferre ... oval:org.secpod.oval:def:56441 The Message Queuing Down Level Clients service provides Active Directory access for Windows NT 4.0, Windows 95, Windows 98, Windows Millennium Edition, and Windows 2000 clients that use the Message Queuing service on domain controllers. The Message Queuing service optionally uses information that is ... oval:org.secpod.oval:def:56112 This policy setting allows an administrator to turn on the Windows to Network Information Service (NIS) password synchronization for UNIX-based user accounts that have been migrated to Active Directory Domain Services. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Component ... oval:org.secpod.oval:def:56702 Windows Messenger is automatically loaded and running when a user logs on to a Windows XP computer. You can use this setting to stop Windows Messenger from automatically being run at logon. If you enable this setting, Windows Messenger will not be loaded automatically when a user logs on. If you d ... oval:org.secpod.oval:def:56083 This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. If you disable or do not configure this policy ... oval:org.secpod.oval:def:56862 This policy setting allows you to manage whether a user can run the Google Chrome web browser or not. This policy sets AppLocker rules to prevent users from running the Firefox web browser. If you enable this setting, users will be unable to run the Google Chrome web browser. If you disable or do ... oval:org.secpod.oval:def:56420 Disables Hybrid Sleep. If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users can see and change this setting. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Power M ... oval:org.secpod.oval:def:56188 This setting determines the behavior of the default consent setting in relation to custom consent settings. If this setting is enabled, the default Consent level setting will always override any other consent setting. If this setting is disabled or not configured, each custom consent setting will de ... oval:org.secpod.oval:def:56751 The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) in the S ... oval:org.secpod.oval:def:56587 Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Access Auto Connection Manager (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic ... oval:org.secpod.oval:def:56887 This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting, archive files will be scanned to the directory depth level specified. If you ... oval:org.secpod.oval:def:56595 Coordinates the communications that are required to use Volume Shadow Copy Service to back up applications and data on this virtual machine from the operating system on the physical computer. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Volume Sha ... oval:org.secpod.oval:def:56607 AD DS Domain Controller service. If this service is stopped, users will be unable to log on to the network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Active Directory Domain Services (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS!S ... oval:org.secpod.oval:def:57158 Enables pairing between the system and wired or wireless devices. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Device Association Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceAssociationService!Start oval:org.secpod.oval:def:56250 This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client&apos;s current Active Directory site. If you enable this policy se ... oval:org.secpod.oval:def:56407 Determines whether disk quota limits are enforced and prevents users from changing the setting. If you enable this setting, disk quota limits are enforced. If you disable this setting, disk quota limits are not enforced. When you enable or disable the setting, the system disables the Deny disk spac ... oval:org.secpod.oval:def:57090 The AD FS Web Agent Authentication Service validates incoming authentication requests. Users are either allowed or denied access to web applications based on their security token and the permissions on the application. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System ... oval:org.secpod.oval:def:56438 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. If you enable this policy setting, the WinRM service will accept CredSSP authentication from a remote client. If you disable or do not ... oval:org.secpod.oval:def:56090 Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printer ... oval:org.secpod.oval:def:56515 This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy w ... oval:org.secpod.oval:def:56868 This setting allows members of the Everyone group to run applications that are located in (or beneath) the Windows folder. If you enable this setting, members of the Everyone group will be able to run applications that are located in (or beneath) the Windows folder. If you disable this setting, me ... oval:org.secpod.oval:def:56193 This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. If you enable thi ... oval:org.secpod.oval:def:56735 This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With soft ... oval:org.secpod.oval:def:56455 This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy w ... oval:org.secpod.oval:def:56988 This policy setting denies execute access to the Tape Drive removable storage class. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be allowed to this removable storage cl ... oval:org.secpod.oval:def:56431 This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to prov ... oval:org.secpod.oval:def:56575 This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run. Fix: (1) GPO: Computer Configuration\Administ ... oval:org.secpod.oval:def:56532 This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user&apos;s network is roaming, near, or over the plan ... oval:org.secpod.oval:def:56178 This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in ... oval:org.secpod.oval:def:57083 This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterp ... oval:org.secpod.oval:def:57089 This policy setting determines whether domain users can log on or elevate User Account Control (UAC) permissions using biometrics. By default, domain users cannot use biometrics to log on. If you enable this policy setting, domain users can log on to a Windows-based computer using biometrics. Depen ... oval:org.secpod.oval:def:56342 Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. When this policy is enabled, programs are not able to acquire lice ... oval:org.secpod.oval:def:56994 Turns off the boot and resume optimizations for the hybrid hard disks in the system. If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. If you disable this policy setting, the system uses the NV cache to achieve faster boot and resum ... oval:org.secpod.oval:def:56789 Prevents users from changing the background image shown when the machine is locked. By default, users can change the background image shown when the machine is locked. If you enable this setting, the user will not be able to change their lock screen image, and they will instead see the image set p ... oval:org.secpod.oval:def:57134 Manages requests made by Pre-Boot eXecution Environment (PXE) enabled client computers. If this service is stopped, PXE-enabled client computers will be unable to install Windows remotely or use other Windows Deployment Services-based tools. Fix: (1) GPO: Computer Configuration\Windows Settings\Se ... oval:org.secpod.oval:def:56934 By default, all administrator accounts are displayed when you attempt to elevate a running application. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface!Enumerate administrator accounts on elevation (2) REG: HKEY_LOCAL_MACHINE\Software\Mic ... oval:org.secpod.oval:def:56727 Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP ... oval:org.secpod.oval:def:56995 This setting lets you disable the data file backup functionality. If this setting is enabled, users cannot back up data files. If this setting is disabled or not configured, users can back up data files. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Backup\Clie ... oval:org.secpod.oval:def:56450 This setting forces the user to log on to the computer using the classic logon screen. By default, a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Logon!Always use ... oval:org.secpod.oval:def:56510 Provides Identity services for Peer Networking. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Peer Networking Identity Manager (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\p2pimsvc!Start oval:org.secpod.oval:def:56981 This policy setting specifies whether to enable or disable tracking of responsiveness events. If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM. if you disable this policy setting, responsiveness ... oval:org.secpod.oval:def:57206 This policy setting Sspecifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits ... oval:org.secpod.oval:def:56339 Enables applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you disable this policy setting or do not configure it, users can see and change this ... oval:org.secpod.oval:def:56389 This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to this removable storage class. ... oval:org.secpod.oval:def:56998 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not accept Kerberos credentials over the network. If you enable this policy setting, the WinRM service will not accept Kerberos credentials over the network. If you disable or do not configure this ... oval:org.secpod.oval:def:56694 Specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services ... oval:org.secpod.oval:def:56739 This policy setting determines which subsystems are used to support applications in your environment. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the l ... oval:org.secpod.oval:def:56113 This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you enable this policy setting and the Retain old events policy setting is enabled, the Event Log file is automatically closed and ... oval:org.secpod.oval:def:56183 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain ... oval:org.secpod.oval:def:56311 This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. Stopping this service may compromise security and reliability of the system. F ... oval:org.secpod.oval:def:57009 This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is u ... oval:org.secpod.oval:def:56404 This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution protocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolve the name, retrieve the corresponding address, and e ... oval:org.secpod.oval:def:56202 Specifies whether or not the user is prompted for a password when the system resumes from sleep. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings!Specifies whether or not the user is prompted for a password when the system resumes from sleep. (2 ... oval:org.secpod.oval:def:56359 This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connecti ... oval:org.secpod.oval:def:56790 This policy setting causes the run once list, which is the list of programs that Windows runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run once the next time the client computer res ... oval:org.secpod.oval:def:56203 The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Protection (NAP). EAP also provides application programming interfaces (APIs) that are used by network access clients, including wireless and V ... oval:org.secpod.oval:def:57041 This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read a ... oval:org.secpod.oval:def:57077 This policy setting allows you to manage whether backups of a machine can run to a network share or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to a network share. If you disable or do not configure this policy setti ... oval:org.secpod.oval:def:56326 This security setting determines which users and groups have the authority to synchronize all directory service data. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment!Synchronize directory service data (2) WMI: root\rsop\computer#RSOP_U ... oval:org.secpod.oval:def:56636 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Sett ... oval:org.secpod.oval:def:56205 This policy setting requires users to enter a default personal identification number (PIN) to unlock and access data on the device after a specified period of inactivity (time-out period). This setting applies to Windows SideShow-compatible devices running Microsoft firmware. If you enable this pol ... oval:org.secpod.oval:def:56803 If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\iSCSI\General iSCSI!Do not allow changes to initiator iqn name (2) REG: HKEY_LOCAL_MACHINE\Software\Polic ... oval:org.secpod.oval:def:57230 Prevents users from searching for installation files when they add features or components to an installed program. This setting disables the Browse button beside the Use feature from list in the Windows Installer dialog box. As a result, users must select an installation file source from the Use fe ... oval:org.secpod.oval:def:56704 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Privat ... oval:org.secpod.oval:def:56120 This policy setting lets you select the local PC as the default save location. It does not prevent apps and users from saving files on OneDrive. If you enable this policy setting, files will be saved locally by default. Users will still be able to change the value of this setting to save to OneDri ... oval:org.secpod.oval:def:56854 This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker; not ... oval:org.secpod.oval:def:56954 This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network. As part of determining the connectivity level, NCSI performs one of two active tests: do ... oval:org.secpod.oval:def:56360 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. If you enable this policy setting, the WinRM service automatically listens on the network for requests o ... oval:org.secpod.oval:def:56384 This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the ... oval:org.secpod.oval:def:56232 This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or ... oval:org.secpod.oval:def:56115 This policy controls the state of the Program Compatibility Assistant in the system. The PCA monitors user initiated programs for known compatibility issues at run time. Whenever a potential issue with an application is detected, the PCA will prompt the user with pointers to recommended solutions. ... oval:org.secpod.oval:def:56807 Internet Protocol security (IPsec) supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. This service enforces IPsec policies created through the IP Security Policies snap-in or the command-line tool netsh ip ... oval:org.secpod.oval:def:56194 This policy setting allows you to enforce or ignore the computer&apos;s default list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer&apos;s default list of blocked TPM commands and will only block those TPM commands spec ... oval:org.secpod.oval:def:56295 Prevents Windows Explorer from encrypting files that are moved to an encrypted folder. If you disable this setting or do not configure it, Windows Explorer automatically encrypts files that are moved to an encrypted folder. This setting applies only to files moved within a volume. When files are m ... oval:org.secpod.oval:def:56495 This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking &apos;Yes&apos; when they ... oval:org.secpod.oval:def:56094 This setting lets you disable file restore functionality. If this setting is enabled, the file restore program is disabled. If this setting is disabled or not configured, the file restore program is enabled and users can restore files. Fix: (1) GPO: Computer Configuration\Administrative Template ... oval:org.secpod.oval:def:56508 Enables you to send and receive faxes, utilizing fax resources on this computer on the network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Fax (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Fax!Start oval:org.secpod.oval:def:56683 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Ad ... oval:org.secpod.oval:def:56730 Provides a mechanism to shut down the operating system of this virtual machine from the management interfaces on the physical computer. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Guest Shutdown Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Current ... oval:org.secpod.oval:def:56375 Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use it for controlling their computers remotely. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\NetMeeting!Disable remote Desktop Sharing (2) REG: HKEY_LOCAL_MACHINE ... oval:org.secpod.oval:def:56469 Disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. If you enable this policy, users cannot use the Connect to a Network Projector wizard to connect to a projector. If you disable this policy or do not configure it, users can run the Connect to a ... oval:org.secpod.oval:def:56897 Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. If you enable this policy setting, no access is allowed to any removable st ... oval:org.secpod.oval:def:56681 This policy setting prevents a Federation Service in Active Directory Federation Services (AD FS) from being installed or run. If you enable this policy setting, installation of a Federation Service fails. If a Federation Service has already been installed, all requests made to it fail. If you dis ... oval:org.secpod.oval:def:56755 Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Servi ... oval:org.secpod.oval:def:56471 Manages how Windows controls the setting that specifies how long a computer must be inactive before Windows turns off the computer's display. When this policy is enabled, Windows automatically adjusts the setting based on what users do with their keyboard or mouse to keep the display on. When this ... oval:org.secpod.oval:def:56987 This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Credential Manager does not return a plaintext PIN. If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager. Note: Enablin ... oval:org.secpod.oval:def:56792 Provides notifications for AutoPlay hardware events. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Shell Hardware Detection (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ShellHWDetection!Start oval:org.secpod.oval:def:56644 This policy setting allows you to turn off the automatic display of Server Manager at logon. If you enable this policy setting, Server Manager is not displayed automatically when an administrator logs on to the server. If you disable this policy setting, Server Manager is displayed automatically w ... oval:org.secpod.oval:def:56480 System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their compu ... oval:org.secpod.oval:def:56776 The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configu ... oval:org.secpod.oval:def:56472 Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user. If this setting is disabled or not configured, Windows will sho ... oval:org.secpod.oval:def:56408 This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. If you enable this policy setting, users cannot list or restore previous versions of files on file shares. If you disable ... oval:org.secpod.oval:def:56174 This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. This policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader. Fix: (1) GPO: Computer Configuration\Windows Sett ... oval:org.secpod.oval:def:56744 Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate. Fix: (1) GPO: Computer Configuration\ ... oval:org.secpod.oval:def:57068 This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be ab ... oval:org.secpod.oval:def:57071 This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on as a batch job user right o ... oval:org.secpod.oval:def:57107 The IAS Jet Database Access service uses the Remote Authentication Dial-In User Service (RADIUS) protocol to provide authentication, authorization, and accounting services. It is only available in 64-bit versions of Windows. With Internet Authentication Services (IAS), you can centrally manage user ... oval:org.secpod.oval:def:56442 Specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. If you enable this setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. If you disable or do not configure this ... oval:org.secpod.oval:def:56304 This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. If you enable this policy setting, o ... oval:org.secpod.oval:def:56583 Data Deduplication VSS writer guided backup applications to back up volumes with deduplication. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Data Deduplication Volume Shadow Copy Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ddpvs ... oval:org.secpod.oval:def:57156 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches i ... oval:org.secpod.oval:def:56145 This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique use ... oval:org.secpod.oval:def:57031 This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) cloud. This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client computer can detect other computers to initiate chat sess ... oval:org.secpod.oval:def:57072 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification ... oval:org.secpod.oval:def:56705 TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Please enable it if you want to use the APIs. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Filesystem\NTFS!Enable / disable TXF deprecated features (2) REG: HKEY_LOCAL_MACHINE\System\C ... oval:org.secpod.oval:def:56402 This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. If you enable this policy setting, the advertising ID is turned off. Apps can&apos;t use the ID for experiences across apps. If you disable or do not configure this policy setting, ... oval:org.secpod.oval:def:56873 This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. If you enable this policy setting then an optional field that all ... oval:org.secpod.oval:def:57047 This policy setting allows an administrator to turn on extensive logging for Password Synchronization. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Password Synchronization!Turn on extensive logging for Password Synchronization (2) REG: HKEY_LOCAL_MACHINE\Softw ... oval:org.secpod.oval:def:56628 Denies or allows access to the Windows Mail application. If you enable this setting, access to the Windows Mail application is denied. If you disable or do not configure this setting, access to the Windows Mail application is allowed. Fix: (1) GPO: Computer Configuration\Administrative Templates ... oval:org.secpod.oval:def:56401 This setting turns the Accounting feature On or Off. If you enable this setting, Windows System Resource Manager (WSRM) will start accounting various usage statistics of the processes. If you disable this setting, WSRM will stop logging usage statistics of processes. If you do not configure this ... oval:org.secpod.oval:def:57117 Windows Internal Database Service. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Internal Database (MICROSOFT**SSEE) (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mssql$microsoft##ssee!Start oval:org.secpod.oval:def:56297 This entry appears as MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) in the SCE. This entry, when enabled, permits a server to automatically reboot after a fatal crash. It is enabled by default, which is undesirable ... oval:org.secpod.oval:def:56475 This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. If you enable this policy setting, queries won&apos;t be performed on the web and web results won&apos;t be displayed when a user performs a query ... oval:org.secpod.oval:def:57100 Provides secure storage and retrieval of credentials to users, applications and security service packages. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Credential Manager (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VaultSvc!Start oval:org.secpod.oval:def:57093 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:57032 This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, gadgets that have not been digitally signed will not be extracted. If you disable or do not config ... oval:org.secpod.oval:def:56432 This policy setting denies read access to removable disks. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to this removable storage class. Fix: (1) GPO: Computer Co ... oval:org.secpod.oval:def:56741 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settin ... oval:org.secpod.oval:def:56606 Resolves RPC interfaces identifiers to transport endpoints. If this service is stopped or disabled, programs using Remote Procedure Call (RPC) services will not function properly. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!RPC Endpoint Mapper (2) REG: ... oval:org.secpod.oval:def:56779 Enables the detection, download and installation of device-related software. If this service is disabled devices may be configured with outdated software and may not work correctly. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Device Setup Manager (2) RE ... oval:org.secpod.oval:def:56858 This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the site local cloud. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. One of the ways in which PNRP boo ... oval:org.secpod.oval:def:57051 This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. If you disable this poli ... oval:org.secpod.oval:def:57130 If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. Note: if enabled there may be cases where this will break VDS. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Target Discovery!Do not ... oval:org.secpod.oval:def:56558 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Use this option to log when Windows Firewall with Advanced Security allows ... oval:org.secpod.oval:def:56328 Enables remote users and 64-bit processes to query performance counters provided by 32-bit DLLs. If this service is stopped, only local users and 32-bit processes will be able to query performance counters provided by 32-bit DLLs. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Sett ... oval:org.secpod.oval:def:56398 This policy setting controls the ability to turn off shared components. If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. If you disable or do not configure this policy ... oval:org.secpod.oval:def:57174 This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disable this policy setting to restrict the ability to shut down the computer to ... oval:org.secpod.oval:def:57086 The ActiveX Installer Service is the solution to delegate the install of per-machine ActiveX controls to a Standard User in the enterprise. The list of Approved ActiveX Install sites contains the host URL and the policy settings for each host URL. Wild cards are not supported. Fix: (1) GPO: Compu ... oval:org.secpod.oval:def:56221 This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Fix: (1) GPO: Computer ... oval:org.secpod.oval:def:56192 This policy setting controls the Kerberos client&apos;s behavior in validating the KDC certificate. If you enable this policy setting, the Kerberos client requires that the KDC&apos;s X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions ... oval:org.secpod.oval:def:57010 This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions suc ... oval:org.secpod.oval:def:57124 By enabling the policy, Administrators hide the Switch user button in the Logon UI, the Start menu and the Task Manager. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Logon!Hide entry points for Fast User Switching (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr ... oval:org.secpod.oval:def:56299 This policy setting controls the ability to prevent embedded UI. If you enable this policy setting, no packages on the system can run embedded UI. If you disable or do not configure this policy setting, embedded UI is allowed to run. Fix: (1) GPO: Computer Configuration\Administrative Templates\ ... oval:org.secpod.oval:def:56753 This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent misuse of system resources ... oval:org.secpod.oval:def:56875 Turns off Real-Time Protection prompts for known malware detection. Windows Defender alerts you when spyware or potentially unwanted software attempts to install itself or to run on your computer. If you enable this policy setting, Windows Defender will not prompt users to take actions on malware ... oval:org.secpod.oval:def:56511 This policy setting allows the Network Access Protection (NAP) client to support the Windows XP version of the 802.1x Enforcement Client component. If you enable this policy setting, NAP allows the Windows XP version of the 802.1x Wireless Enforcement Client to participate. If you disable or do no ... oval:org.secpod.oval:def:57196 Enables you to synchronize folders on multiple servers across local or wide area network (WAN) network connections. This service uses the Remote Differential Compression (RDC) protocol to update only the portions of files that have changed since the last replication. Fix: (1) GPO: Computer Configu ... oval:org.secpod.oval:def:56742 The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) in the Security Configuration Editor. This settin ... oval:org.secpod.oval:def:56680 If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting!Do not send addi ... oval:org.secpod.oval:def:56237 The SNMP service allows incoming Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. SNMP includes agents that monitor activity in network devices and report to the network console workstation. SNMP provides a method of managing network hosts such as workstation ... oval:org.secpod.oval:def:57180 This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user ... oval:org.secpod.oval:def:57026 Determines if dynamic update is enabled. Computers configured for dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this setting, the computers to which this setting is applied may use dynamic DNS registration on each of their network conn ... oval:org.secpod.oval:def:56146 Provides Web connectivity and administration through the Internet Information Services Manager. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!World Wide Web Publishing Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\w3svc!Start oval:org.secpod.oval:def:56229 Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer&apos;s printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for ... oval:org.secpod.oval:def:56366 This policy setting disables the detection of slow network connections. Slow link detection measures the speed of the connection between a user&apos;s computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related policy settings in this fo ... oval:org.secpod.oval:def:56214 Manages download of game box art and ratings from the Windows Metadata Services. If you enable this setting, game information including box art and ratings will not be downloaded. If you disable or do not configure this setting, game information will be downloaded from Windows Metadata Services. ... oval:org.secpod.oval:def:56783 Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You may want to disable this service if you decide to use a third-party time provider. Fix: (1) GPO: Computer Configuration\Administra ... oval:org.secpod.oval:def:56625 This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the ... oval:org.secpod.oval:def:56137 If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Security!Do not allow changes to initiator CHAP secret (2) REG: HKEY_LOCAL_MACHINE\Soft ... oval:org.secpod.oval:def:56670 Propagates certificates from smart cards. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Certificate Propagation (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertPropSvc!Start oval:org.secpod.oval:def:56772 Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Telephony (2) REG: HKEY_LOCAL_MACHINE ... oval:org.secpod.oval:def:56410 This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer t ... oval:org.secpod.oval:def:56157 Enables client computers to print to the Line Printer Daemon (LPD) service on this server using TCP/IP and the Line Printer Remote (LPR) protocol. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!LPD Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS ... oval:org.secpod.oval:def:56305 Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Syst ... oval:org.secpod.oval:def:56519 This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configur ... oval:org.secpod.oval:def:57030 This setting specifies whether the computer will act as a BITS peercaching client. By default, when BITS peercaching is enabled, the computer acts as both a peercaching server (offering files to its peers) and a peercaching client (downloading files from its peers). If you enable this setting, the ... oval:org.secpod.oval:def:56110 Allows you to disable System Restore configuration through System Protection. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this setting depends on the Turn off System Restore setting. If ... oval:org.secpod.oval:def:56555 This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you enable this policy setting and the Retain old events policy setting is enabled, the Event Log file is automatically closed and ... oval:org.secpod.oval:def:57023 This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to this removable storage class. ... oval:org.secpod.oval:def:56624 Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Setting ... oval:org.secpod.oval:def:56177 This policy will enable the Enhanced Storage device to be locked when the computer is locked. This policy is supported in Windows Enterprise and Business SKUs only. If you enable this policy setting, the Enhanced Storage device will remain locked when the computer is locked. If you disable or do ... oval:org.secpod.oval:def:56841 This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the link local cloud. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. One of the ways in which PNRP boo ... oval:org.secpod.oval:def:56310 This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy objects (GPO) were applied, where they came fro ... oval:org.secpod.oval:def:56039 This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. ... oval:org.secpod.oval:def:57073 Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows ... oval:org.secpod.oval:def:56303 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. This policy setting allows Local System services that us ... oval:org.secpod.oval:def:56668 This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password cha ... oval:org.secpod.oval:def:56081 This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you enable or do not configure this setting, unique items defined in Group Policy and in pref ... oval:org.secpod.oval:def:56608 Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is d ... oval:org.secpod.oval:def:56569 This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do n ... oval:org.secpod.oval:def:56346 This policy prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. When this policy i ... oval:org.secpod.oval:def:56637 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Se ... oval:org.secpod.oval:def:56535 This policy setting allows you to configure definition updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalware engine present. If you disable this setting, definitio ... oval:org.secpod.oval:def:56586 This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk fi ... oval:org.secpod.oval:def:56446 This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. If you enable this policy setting, the system ... oval:org.secpod.oval:def:56171 Enables remote and delegated management capabilities for administrators to manage the Web server, sites, and applications present on this machine. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Web Management Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Curr ... oval:org.secpod.oval:def:56211 This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. If you en ... oval:org.secpod.oval:def:56550 This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. If you enable or do not configu ... oval:org.secpod.oval:def:56731 Identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Network List Service (2) REG: HKEY_LOCAL_ ... oval:org.secpod.oval:def:56053 This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this policy setting increases security, most public Web sites that are secured with TLS or SSL do not support th ... oval:org.secpod.oval:def:57096 Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Config ... oval:org.secpod.oval:def:56334 When using Microsoft Office Outlook in online mode, you can enable this policy to control how fast online mail is indexed on a Microsoft Exchange server. The lower you set this policy, the lower the burden will be on the corresponding Microsoft Exchange server. The default value for this policy is 1 ... oval:org.secpod.oval:def:56752 This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. A license server attempts to provide ... oval:org.secpod.oval:def:56777 This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the System, Local Service, or N ... oval:org.secpod.oval:def:56437 If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. Fix: (1) GPO: ... oval:org.secpod.oval:def:56275 This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user&apos;s account name or parts of the user&apos;s full name that exceed tw ... oval:org.secpod.oval:def:56414 This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to this removable storage class. Fi ... oval:org.secpod.oval:def:56788 This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. ... oval:org.secpod.oval:def:56349 This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. If you disable this policy settin ... oval:org.secpod.oval:def:56340 Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings in PC S ... oval:org.secpod.oval:def:56066 Directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all of their functions unless Windows has inte ... oval:org.secpod.oval:def:56165 Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate. Fix: (1) GPO: Computer Configuration\ ... oval:org.secpod.oval:def:56743 ASP.NET State Service provides support for out-of-process session states for Microsoft ASP.NET, a unified Web development platform. ASP.NET has a concept of session state - a listing of values associated with the client session is accessible from ASP.NET pages through the Session property. Three opt ... oval:org.secpod.oval:def:56395 This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified def ... oval:org.secpod.oval:def:56907 Turns off Windows Network Isolation&apos;s automatic discovery of private network hosts in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation&apos;s automatic discovery of private network hosts in the domain corporate environment. On ... oval:org.secpod.oval:def:56315 When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 will attempt to use Kerberos by generating an SPN. This policy setting allows you to configure this server so that Kerberos can decryp ... oval:org.secpod.oval:def:56316 Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be shown in the User Tile menu. If you disable this policy setting, the lock option will never be shown in the User Tile menu. If you do not configure this policy setting, users will be able to ch ... oval:org.secpod.oval:def:56579 This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. If you disable this setting, scheduled scans will run at the sche ... oval:org.secpod.oval:def:56619 Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. If this service is stopped, SSDP-based devices will not be discovered. If this service is disabled, any services that explicitl ... oval:org.secpod.oval:def:56204 Offers routing services to businesses in local area and wide area network environments. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Routing and Remote Access (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RemoteAccess!Start oval:org.secpod.oval:def:56207 Turns off Windows Defender Real-Time Protection, and no more scans are scheduled. If you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software. If you disable or do not configure this policy setting, by defau ... oval:org.secpod.oval:def:56833 Removes access to the performance center control panel page. If you enable this setting, some settings within the performance control panel page will not be displayed. The administrative tools will not be affected. If you disable or do not configure this setting, the performance center control pan ... oval:org.secpod.oval:def:56088 This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting, the proxy server will be bypassed for the specified addresses. If you disable ... oval:org.secpod.oval:def:56460 Use this outbound rule to block UDP port 3544. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules!Windows Firewall: Block UDP port 3544 (2) REG: HKEY_LOCAL_MACHINE\Software\Policies ... oval:org.secpod.oval:def:57129 Provides the interface to the backup/restore Windows Internal Database through the Windows VSS infrastructure. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!SQL Server VSS Writer (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SQLWriter!Star ... oval:org.secpod.oval:def:56604 This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting, user logon scripts will run i ... oval:org.secpod.oval:def:57207 Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Plug and Play (2) REG: HKEY_LOCAL_MACHINE\SYSTE ... oval:org.secpod.oval:def:57088 Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Net.Msmq Listener Adapter (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr ... oval:org.secpod.oval:def:56733 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... oval:org.secpod.oval:def:56285 Securely enables the creation, management, and disclosure of digital identities. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows CardSpace (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\idsvc!Start oval:org.secpod.oval:def:56397 This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. If you disable or do not configure this po ... oval:org.secpod.oval:def:56386 This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the global cloud. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstr ... oval:org.secpod.oval:def:56027 Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuratio ... oval:org.secpod.oval:def:56919 This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Po ... oval:org.secpod.oval:def:56675 Monitors system events and notifies subscribers to COM+ Event System of these events. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!System Event Notification Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SENS!Start oval:org.secpod.oval:def:56685 This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Activ ... oval:org.secpod.oval:def:56770 Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Securit ... oval:org.secpod.oval:def:56869 Manages download of game update information from Windows Metadata Services. If you enable this setting, game update information will not be downloaded. If you disable or do not configure this setting, game update information will be downloaded from Windows Metadata Services. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:56513 Receives activation requests over the net.tcp protocol and passes them to WPAS. .net framework 3.0 & Windows Process Activation Service. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Net.Tcp Listener Adapter (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ... oval:org.secpod.oval:def:56834 Determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. By default User profile deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data e ... oval:org.secpod.oval:def:56449 This policy setting allows you to control whether or not Search can perform queries on the web over metered connections, and if the web results are displayed in Search. If you enable this policy setting, queries won&apos;t be performed on the web over metered connections and web results won& ... oval:org.secpod.oval:def:56811 This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy setting, the client computers will request claims, provide ... oval:org.secpod.oval:def:56492 Removes access to the performance center control panel solutions to performance problems. If you enable this setting, the solutions and issue section within the performance control panel page will not be displayed. The administrative tools will not be affected. If you disable or do not configure t ... oval:org.secpod.oval:def:56082 The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE. Internet Control M ... oval:org.secpod.oval:def:56977 This policy setting allows you to manage whether run-once backups of a machine can be run or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-once backups. If you disable or do not configure this policy setting, ... oval:org.secpod.oval:def:56263 Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content using removable mass-storage devices. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Port ... oval:org.secpod.oval:def:56964 This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Pane ... oval:org.secpod.oval:def:56767 Maintains links between NTFS files within a computer or across computers in a network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Distributed Link Tracking Client (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrkWks!Start oval:org.secpod.oval:def:56416 This policy setting allows you to manage whether backups of a machine can run to locally attached storage or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to a locally attached storage or disk. If you disable or do not ... oval:org.secpod.oval:def:56236 This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. If you enable this policy setting, interactive users cannot generate RSoP data. If you disable or ... oval:org.secpod.oval:def:57084 This policy setting determines whether Windows PowerShell scripts will run before non-PowerShell scripts during computer startup and shutdown. By default, PowerShell scripts run after non-PowerShell scripts. If you enable this policy setting, within each applicable Group Policy object (GPO), PowerS ... oval:org.secpod.oval:def:56539 Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Configur ... oval:org.secpod.oval:def:57108 The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches interesting events to those interested in Offline Files activities and changes in cache state. Fix: (1) GPO: Co ... oval:org.secpod.oval:def:57136 Enables relative prioritization of work based on system-wide task priorities. This is intended mainly for multimedia applications. If this service is stopped, individual tasks resort to their default priority. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services! ... oval:org.secpod.oval:def:57159 Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Syst ... oval:org.secpod.oval:def:56050 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy ... oval:org.secpod.oval:def:56129 This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available ... oval:org.secpod.oval:def:56378 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Wi ... oval:org.secpod.oval:def:56732 Logs, monitors, and manages DirectAccess and VPN connections to the server. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Access Management Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RaMgmtSvc!Start oval:org.secpod.oval:def:56500 The Simple Mail Transfer Protocol (SMTP) service is an e-mail submission and relay agent. It can accept and queue e-mail messages for remote destinations and establish connections to other computers at specified intervals. Windows-based domain controllers use the SMTP service for intersite e-mail ba ... oval:org.secpod.oval:def:56245 The Net.Tcp Port Sharing Service provides the ability for multiple user processes to share TCP ports over the net.tcp protocol. This service supports the .NET Framework 3.0 Windows Communication Foundation (WCF), which provides a new TCP-based network protocol (net.tcp://) for high-performance commu ... oval:org.secpod.oval:def:56894 Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be depl ... oval:org.secpod.oval:def:57128 This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. If you enable this policy setting, Folder Redirection creates a temporary file in the old lo ... oval:org.secpod.oval:def:57123 Determines whether the Offline Files feature is enabled. This setting also disables the Enable Offline Files option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. Offline Files saves a copy of network files on the user&apos;s compute ... oval:org.secpod.oval:def:56549 This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. If you enable this policy setting, a user will be prompted on the client computer-instead of on the RD Session Host server-to provide cr ... oval:org.secpod.oval:def:56696 This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server ... oval:org.secpod.oval:def:57170 Specifies whether or not the user is prompted for a password when the system resumes from sleep. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings!Specifies whether or not the user is prompted for a password when the system resumes from sleep. (2 ... oval:org.secpod.oval:def:56823 Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks. Fix: (1) GPO: Computer Configuration\ ... oval:org.secpod.oval:def:56975 The Windows Customer Experience Improvement Program will collect information about your hardware configuration and how you use our software and services to identify trends and usage patterns. We will not collect your name, address, or any other personally identifiable information. There are no surve ... oval:org.secpod.oval:def:56095 This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting, remote users will be able to open direct handles to removable storage devices in remote sessions. If you disable or do not configure this policy setting, remote ... oval:org.secpod.oval:def:56985 This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificat ... oval:org.secpod.oval:def:57059 Provides support for 3rd party protocol plug-ins for Internet Connection Sharing Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Application Layer Gateway Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ALG!Start oval:org.secpod.oval:def:56487 This setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. By default, when a roaming profile user logs on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer i ... oval:org.secpod.oval:def:56691 This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. If you disable or do not configure this pol ... oval:org.secpod.oval:def:56706 Enabling this policy removes the option of searching the Web from Windows Desktop Search. When this policy is disabled or not configured, the Web option is available and users can search the Web via their default browser search engine. Fix: (1) GPO: Computer Configuration\Administrative Templates ... oval:org.secpod.oval:def:57227 This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users ... oval:org.secpod.oval:def:56830 Determines whether the system saves a copy of a user's roaming profile on the local computer&apos;s hard drive when the user logs off. This setting, and related settings in this folder, together describe a strategy for managing user profiles residing on remote servers. In particular, they tell ... oval:org.secpod.oval:def:56785 This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the operating system but might be r ... oval:org.secpod.oval:def:56132 Enable this policy to prevent indexing public folders in Microsoft Office Outlook. When this policy is disabled or not configured, the user has the option to index cached public folders in Outlook. Public folders are only indexed when using Outlook 2003 or later. The user must be running in cached m ... oval:org.secpod.oval:def:56650 This policy setting allows users to shut down Windows based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recommends ... oval:org.secpod.oval:def:57125 This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon. If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. If you disable this policy setting, the Initi ... oval:org.secpod.oval:def:56709 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches i ... oval:org.secpod.oval:def:56371 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy setting, the WinRM client will us ... oval:org.secpod.oval:def:56172 This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection ... oval:org.secpod.oval:def:57194 This service performs IEEE 802.1X authentication on Ethernet interfaces. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Wired AutoConfig (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc!Start oval:org.secpod.oval:def:56509 This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configu ... oval:org.secpod.oval:def:57055 This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the DEL command). - AllowAllPaths. Allows access to all files and folders on the c ... oval:org.secpod.oval:def:56451 This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can't access OneDrive from the OneDrive app and file picker. * Windows Store apps can't access OneDrive using the WinRT API. * OneDrive doesn't appear in the navig ... oval:org.secpod.oval:def:57210 This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows t ... oval:org.secpod.oval:def:57085 This setting determines whether offline files are encrypted. Offline files reside on a user&apos;s hard drive, not the network, and they are stored in a local cache on the computer. Encrypting this cache enhances security on a local computer. If the cache on the local computer is not encrypted, ... oval:org.secpod.oval:def:56254 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. This setting controls whether local administrators are allowed to create connection security rules that apply with other ... oval:org.secpod.oval:def:56467 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Negotiate authentication. If you enable this policy setting, the WinRM client will not use Negotiate authentication. If you disable or do not configure this policy setting, the WinRM client w ... oval:org.secpod.oval:def:57160 This policy setting controls whether the elevation request prompt is displayed on the interactive user&apos;s desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators an ... oval:org.secpod.oval:def:57209 Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this service is disabled, any services that exp ... oval:org.secpod.oval:def:57094 Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Procedure Cal ... oval:org.secpod.oval:def:56182 This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without trigge ... oval:org.secpod.oval:def:56187 This policy setting allows you to manage the deployment operations of app packages when the user is logged in under special profiles. Deployment operation refers to adding, registering, staging, updating or removing an app package. Special profiles refer to profiles with the following types: manda ... oval:org.secpod.oval:def:56618 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not configure t ... oval:org.secpod.oval:def:56626 This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. If you enable th ... oval:org.secpod.oval:def:56516 Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. ... oval:org.secpod.oval:def:56427 Provides automatic IPv6 connectivity over an IPv4 network. If this service is stopped, the machine will only have IPv6 connectivity if it is connected to a native IPv6 network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!IP Helper (2) REG: HKEY_LOCAL_MA ... oval:org.secpod.oval:def:57112 This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a certificate chain that can be successfully validated ... oval:org.secpod.oval:def:56151 Publishes this computer and resources attached to this computer so they can be discovered over the network. If this service is stopped, network resources will no longer be published and they will not be discovered by other computers on the network. Fix: (1) GPO: Computer Configuration\Windows Sett ... oval:org.secpod.oval:def:57154 Host process for Function Discovery providers. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Function Discovery Provider Host (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\fdPHost!Start oval:org.secpod.oval:def:56657 This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution protocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolve the name, retrieve the corresponding address, and e ... oval:org.secpod.oval:def:56701 If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can be opened. Disabled by default. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search!Prevent customization of indexed locations in Contro ... oval:org.secpod.oval:def:56896 This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads ... oval:org.secpod.oval:def:56857 Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. On machines with an ARM processor, this policy setting is ignored by the XPS Rasterization Service and the XPS-t ... oval:org.secpod.oval:def:56920 This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions on a Remote Desktop Session Host (RD Session Host) server. If you enable this policy setting, all Remote Desktop Services sessions on the RD Session Host server use the hardwa ... oval:org.secpod.oval:def:56086 This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the following settings will be used (in order): 1. Internet Explor ... oval:org.secpod.oval:def:56186 This policy setting allows you to specify whether to send a Windows error report when a generic driver is installed on a device. If you enable this policy setting, a Windows error report is not sent when a generic driver is installed. If you disable or do not configure this policy setting, a Windo ... oval:org.secpod.oval:def:56052 This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or c ... oval:org.secpod.oval:def:56872 This setting disables the more secure default setting for the user's roaming user profile folder. Once an administrator has configured a users&apos; roaming profile, the profile will be created at the user&apos;s next login. The profile is created at the location that is specified by the ad ... oval:org.secpod.oval:def:56684 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... oval:org.secpod.oval:def:56652 Provides management services for disks, volumes, file systems, and storage arrays. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Virtual Disk (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vds!Start oval:org.secpod.oval:def:56617 This policy setting specifies whether Windows Installer RDS Compatibility runs on a per user basis for fully installed applications. Windows Installer allows one instance of the msiexec process to run at a time. By default, Windows Installer RDS Compatibility is turned on. If you enable this policy ... oval:org.secpod.oval:def:56582 This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable this sett ... oval:org.secpod.oval:def:56227 This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. If you disable or do not confi ... oval:org.secpod.oval:def:56256 This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, ... oval:org.secpod.oval:def:57184 This policy setting configures whether or not Windows will activate an Enhanced Storage device. If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Stor ... oval:org.secpod.oval:def:56809 This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more perman ... oval:org.secpod.oval:def:57222 Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Wi ... oval:org.secpod.oval:def:56436 This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authenti ... oval:org.secpod.oval:def:56133 This policy setting specifies whether the client computer should use the Distributed Cache mode. This BranchCache mode enables a client computer to retrieve content that has been downloaded and cached by other client computers in the branch office. To access cached content from other client computer ... oval:org.secpod.oval:def:57049 Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows. If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install. If the status is se ... oval:org.secpod.oval:def:56852 This setting allows you to enable enforcement of AppLocker Executable Rules. If you enable this setting, the AppLocker Executable Rules are enforced. If you disable or do not configure this setting, the AppLocker Executable Rules are not enforced. Fix: (1) GPO: Computer Configuration\Windows Set ... oval:org.secpod.oval:def:56382 This policy setting saves copies of transform files in a secure location on the local computer. Transform files consist of instructions to modify or customize a program during installation. If you enable this policy setting, the transform file is saved in a secure location on the user&apos;s c ... oval:org.secpod.oval:def:57157 Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. If this service is disabled, the Network Map will not function properly. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Link- ... oval:org.secpod.oval:def:56051 Maintains and improves system performance over time. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Superfetch (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysMain!Start oval:org.secpod.oval:def:56931 Engine to perform block level backup and recovery of data. This is a component of the Windows Server Backup feature. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Block Level Backup Engine Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servi ... oval:org.secpod.oval:def:56601 This setting lets you prevent users from selecting optical media (CD/DVD) for storing backups. If this setting is enabled, users will be blocked from selecting optical media as a backup location. If this setting is disabled or not configured, users can select optical media as a backup location. ... oval:org.secpod.oval:def:56274 Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. Not all applications support driver isolation. By default, Microsoft Exce ... oval:org.secpod.oval:def:56200 This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. This p ... oval:org.secpod.oval:def:56458 This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this policy setting to specify access permissions to all the computers to particular users fo ... oval:org.secpod.oval:def:56373 This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, then BITS jobs on that computer can use Windows Branch Cache by default. If you enable this setting, then the BITS client does ... oval:org.secpod.oval:def:56686 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. This is an advanced security setting for the Windows Firewall that you can use to allow unicast responses on computers running Windows Vista or later. Fix ... oval:org.secpod.oval:def:56352 This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which ... oval:org.secpod.oval:def:56616 This policy setting prevents the Group Policy Client Service from stopping when idle. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Group Policy!Turn off Group Policy Client Service AOAC optimization (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System!Dis ... oval:org.secpod.oval:def:56162 If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. Fix: (1) GPO: Computer Configuratio ... oval:org.secpod.oval:def:56406 This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. If you enable this policy setting, Automatic Updates accepts updates received through an intranet Mic ... oval:org.secpod.oval:def:56141 The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requiremen ... oval:org.secpod.oval:def:57189 Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:56092 This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discove ... oval:org.secpod.oval:def:56504 The TCP/IP Print Server service enables TCP/IP-based printing by using the Line Printer Daemon protocol. The TCP/IP Print Server service on the print server receives documents from native Line Printer Remote (LPR) utilities running on UNIX computers. Fix: (1) GPO: Computer Configuration\Windows Se ... oval:org.secpod.oval:def:56505 This setting lets you disable the creation of system images. If this setting is enabled, users cannot create system images. If this setting is disabled or not configured, users can create system images. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Backup\Clien ... oval:org.secpod.oval:def:56042 Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. By default, the MS-DOS subsystem runs for all users on this computer. You can use this setting to turn off the MS-DOS subsy ... oval:org.secpod.oval:def:56805 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Sett ... oval:org.secpod.oval:def:56252 This policy setting controls whether the domain controller provides information about previous logons to client computers. If you enable this policy setting, the domain controller provides the information message about previous logons. For Windows Logon to leverage this feature, the Display inform ... oval:org.secpod.oval:def:56643 This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. If you enable this policy se ... oval:org.secpod.oval:def:56605 This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. If you enable or do not conf ... oval:org.secpod.oval:def:57081 This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. If you enable this setting, booting to Windows To Go when ... oval:org.secpod.oval:def:56737 This policy setting specifies which users can add computer workstations to a specific domain. For this policy setting to take effect, it must be assigned to the user as part of the Default Domain Controller Policy for the domain. A user who has been assigned this right can add up to 10 workstations ... oval:org.secpod.oval:def:57120 Coordinates transactions between MSDTC and the Kernel Transaction Manager (KTM). Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!KtmRm for Distributed Transaction Coordinator (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KtmRm!Start oval:org.secpod.oval:def:56361 This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RD ... oval:org.secpod.oval:def:56590 The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect, fo ... oval:org.secpod.oval:def:56956 Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\File Explorer!Turn ... oval:org.secpod.oval:def:56963 Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you leave this policy setting enabled, Users will be able to use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is s ... oval:org.secpod.oval:def:57052 Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can&apos;t use standby states to make the PC sleep. If you disable or don&apos;t configure this sett ... oval:org.secpod.oval:def:56273 This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be audited. If the Audit: Audit the access of global system objects setting is enabled, ... oval:org.secpod.oval:def:56630 This policy setting controls whether folders are redirected on a user&apos;s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room co ... oval:org.secpod.oval:def:56206 This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network. If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers wi ... oval:org.secpod.oval:def:56394 Announces the presence of shared printers to print browse master servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. If you enable this setting, the print spooler announces shared printers to the print browse m ... oval:org.secpod.oval:def:56791 This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer. If you turn off this service you won't be able to see printer extensions or notifications. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Print ... oval:org.secpod.oval:def:57225 Allows users to connect interactively to a remote computer. Remote Desktop and Terminal Server depend on this service. To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item. Fix: (1) GPO: Computer Configuration\Windows Settings\S ... oval:org.secpod.oval:def:56525 This policy setting determines if the Background Intelligent Transfer Service (BITS) Peercaching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job&apos;s owner. If BITS Peercaching is enabled, BITS will ... oval:org.secpod.oval:def:56189 This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings!Setting controls whether Windows ... oval:org.secpod.oval:def:56614 This entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE. IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. Fix: (1) GPO: Computer Config ... oval:org.secpod.oval:def:56851 This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. If yo ... oval:org.secpod.oval:def:57199 Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables sync your settings on metered connections switch on the sync your settings page in PC Settings. If you enable this policy setting, syncing on metered connections will be turned off, and no syncing ... oval:org.secpod.oval:def:57191 Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Internet Connection Sharing (ICS) (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\C ... oval:org.secpod.oval:def:56565 This policy setting allows you to turn off File History. If you enable this policy setting, File History cannot be activated to create regular, automatic backups. If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. Fix: (1) ... oval:org.secpod.oval:def:56600 This setting adds the Administrator security group to the roaming user profile share. Once an administrator has configured a users&apos; roaming profile, the profile will be created at the user&apos;s next login. The profile is created at the location that is specified by the administrator. ... oval:org.secpod.oval:def:57102 Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO ... oval:org.secpod.oval:def:56695 This policy setting prevents the display of the user interface for critical errors. If you enable this policy setting, Windows Error Reporting prevents the display of the user interface for critical errors. If you disable or do not configure this policy setting, Windows Error Reporting displays th ... oval:org.secpod.oval:def:56968 Specifies whether the computers to which this setting is applied may send dynamic updates to the zones named with a single label name, also known as top-level domain zones, for example, com. By default, a DNS client configured to perform dynamic DNS update sends dynamic updates to the DNS zone that ... oval:org.secpod.oval:def:56502 This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on ... oval:org.secpod.oval:def:56247 This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying ... oval:org.secpod.oval:def:56922 This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure th ... oval:org.secpod.oval:def:56213 This policy setting specifies that power management is disabled when the machine enters connected standby mode. If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. If th ... oval:org.secpod.oval:def:57150 Manages audio for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Servi ... oval:org.secpod.oval:def:56135 This policy setting allows you to configure a domain controller to request compound authentication. Note: For a domain controller to request compound authentication, the policy KDC support for claims, compound authentication, and Kerberos armoring must be configured and enabled. If you enable this ... oval:org.secpod.oval:def:57027 This policy setting denies write access to removable disks. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to this removable storage class. NOTE: To require that u ... oval:org.secpod.oval:def:56170 The Data Deduplication service enables the deduplication and compression of data on selected volumes in order to optimize disk space used. If this service is stopped, optimization will no longer occur but access to already optimized data will continue to function. Fix: (1) GPO: Computer Configurat ... oval:org.secpod.oval:def:57211 Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as www.example.com in addition to single-label names. If you disable this policy set ... oval:org.secpod.oval:def:57146 Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM ... oval:org.secpod.oval:def:56448 This policy will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy allows the administrator to disable this ... oval:org.secpod.oval:def:56266 If you enable this policy setting, the Diagnostic Policy Service (DPS) will detect, troubleshoot and attempt to resolve automatically any heap corruption problems. If you disable this policy setting, Windows will not be able to detect, troubleshoot and attempt to resolve automatically any heap corr ... oval:org.secpod.oval:def:56465 Allow applications and services to prevent automatic sleep. If you enable this policy setting, any application, service or device driver may prevent Windows from automatically transitioning to sleep after a period of user inactivity. If you disable this policy setting, applications, services or dr ... oval:org.secpod.oval:def:57200 The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer&apos;s name will not be ... oval:org.secpod.oval:def:56671 This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. When configu ... oval:org.secpod.oval:def:57140 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Win ... oval:org.secpod.oval:def:56445 The Remote Desktop Licensing service installs a license server and provides registered client licenses when a computer is connecting to a server that has Terminal Server enabled. The Terminal Server Licensing service is a low-impact service that stores the client licenses that have been issued for a ... oval:org.secpod.oval:def:56301 This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, when a computer (or the DC Locator running on a computer, to be more specific) needs to locate a domain controller hosting an Active Directory ... oval:org.secpod.oval:def:57214 Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples wi ... oval:org.secpod.oval:def:56070 This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions: Run a full scan Download the latest virus and spyware definitions Download Standalone System Sweeper If you enable or do not configure this setting, notif ... oval:org.secpod.oval:def:56589 Manages the assignment of remoteApp and desktop connection resources to users Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!RemoteApp and Desktop Connection Management (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TScPubRPC!Start oval:org.secpod.oval:def:57145 The Intersite Messaging service enables message exchanges between computers that run Windows Server sites. This service is used for mail-based replication between sites. Active Directory includes support for replication between sites through SMTP over IP transport. SMTP support is provided by the SM ... oval:org.secpod.oval:def:57188 Creates, manages, and removes X.509 certificates for applications such as S/MIME and SSL. If this service is stopped, certificates will not be created. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\S ... oval:org.secpod.oval:def:56795 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. This setting determines the behavior for inbound connections that do not match an inbound fi ... oval:org.secpod.oval:def:56917 This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy wi ... oval:org.secpod.oval:def:56103 This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting, the Browse button in the Use feature from dialog box is enabled. As a result, users can search for installation files even when the installation program is running w ... oval:org.secpod.oval:def:56848 This policy setting allows you to disable revocation check for the SSL certificate of the KDC proxy server being connected to. If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be us ... oval:org.secpod.oval:def:57043 Specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products and is searched as part of all Help and Support Center searches with the default ... oval:org.secpod.oval:def:56523 This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group ... oval:org.secpod.oval:def:56130 This policy setting allows you to turn off the automatic display of the Manage Your Server page. If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. If you disable or do not configure this policy setting, the Manage Your ... oval:org.secpod.oval:def:56109 This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setting, the antimalware service will always remain running even if bot ... oval:org.secpod.oval:def:56154 This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. If you enable this settin ... oval:org.secpod.oval:def:56393 This policy setting denies execute access to removable disks. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be allowed to this removable storage class. Fix: (1) GPO: Co ... oval:org.secpod.oval:def:56782 Provides secure remote connectivity to remote computers on your corporate network, from anywhere on the Internet. If this service is stopped, connections to remote computers cannot be made through this Terminal Services Gateway server. Fix: (1) GPO: Computer Configuration\Windows Settings\Security ... oval:org.secpod.oval:def:57078 The policy controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. Turning Application Telemetry off by selecting enable will stop the collection of usage data. If ... oval:org.secpod.oval:def:56560 This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box sett ... oval:org.secpod.oval:def:56452 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ... oval:org.secpod.oval:def:57057 This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. I ... oval:org.secpod.oval:def:56645 This policy setting directs the system to display highly detailed status messages. This policy setting is designed for advanced users who require this information. If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting dow ... oval:org.secpod.oval:def:56372 This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CD-ROM media. When this policy setting is enabled and no one is logged on interactively ... oval:org.secpod.oval:def:56655 This policy setting allows you to turn off desktop gadgets that have been installed by the user. If you enable this setting, Windows will not run any user-installed gadgets. If you disable or do not configure this setting, Windows will run user-installed gadgets. The default is for Windows to run ... oval:org.secpod.oval:def:57038 This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics. By default, local users will be able to log on to the local computer, but the Allow domain users to log on using biometrics policy setting will need to be enabled for domain us ... oval:org.secpod.oval:def:56664 Lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. If you enable this setting, the system does not coordinate the ... oval:org.secpod.oval:def:57000 This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously when logging on through Remote Desktop Services. Asynchronous user Group Policy processing is the default processing mode for Windows Vista and Windows XP. By default, Window Server processes user Grou ... oval:org.secpod.oval:def:56197 Install AppX Packages for all authorized users Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows All-User Install Agent (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AllUserInstallAgent!Start oval:org.secpod.oval:def:56800 This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install a ... oval:org.secpod.oval:def:56163 Windows Firewall helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Firewall (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Current ... oval:org.secpod.oval:def:56484 This policy setting turns on logging. If you enable or do not configure this policy setting, then events can be written to this log. If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. Fix: (1) GPO: Compu ... oval:org.secpod.oval:def:57054 Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 8. If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). If you disable or do not configure this policy setting, the default MXDW output format is Open ... oval:org.secpod.oval:def:57179 Enables identity revocation services for PKI (certificate) based services such as secure e-mail smartcard logon, secure web servers, etc as an online request and response query process. If this service is stopped or disabled, revocation services may not be available for PKI (certificate) application ... oval:org.secpod.oval:def:56138 Extends the disk quota policies in this folder to NTFS file system volumes on removable media. If you disable this setting or do not configure it, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. Note: When this setting is applied, the computer will apply t ... oval:org.secpod.oval:def:56087 This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports ... oval:org.secpod.oval:def:56529 This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Fix: (1) GPO: Computer Configuration\Ad ... oval:org.secpod.oval:def:57114 Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services th ... oval:org.secpod.oval:def:56032 Provides the interface to backup and restore Windows Internal Database through the Windows VSS infrastructure. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Internal Database VSS Writer (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services ... oval:org.secpod.oval:def:56545 This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. If you disable this policy setting, certificate propagation ... oval:org.secpod.oval:def:57066 Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!WMI Performance Adap ... oval:org.secpod.oval:def:57127 Fair Share CPU Scheduling dynamically distributes processor time across all Remote Desktop Services sessions on the same RD Session Host server, based on the number of sessions and the demand for processor time within each session. If you enable this policy setting, Fair Share CPU Scheduling is tur ... oval:org.secpod.oval:def:56459 This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vul ... oval:org.secpod.oval:def:56463 This is a setting for computers with more than one UI language installed. If you enable this setting, the UI language of Windows menus and dialogs language for systems with more than one language will follow the language specified by the administrator as the system UI languages. The user UI language ... oval:org.secpod.oval:def:56656 This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. Note: For this policy setting to work the followin ... oval:org.secpod.oval:def:56815 This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you enable this policy setting and the Retain old events policy setting is enabled, the Event Log file is automatically closed and ... oval:org.secpod.oval:def:56831 This policy controls the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilityMetrics and Win32_ReliabilityRecords. If this setting is disabled, the Reliability Monitor will not display system reliability information nor will WMI capable applications have access to relia ... oval:org.secpod.oval:def:57229 Allows UPnP devices to be hosted on this computer. If this service is stopped, any hosted UPnP devices will stop functioning and no additional hosted devices can be added. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuratio ... oval:org.secpod.oval:def:56949 This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery. If you disable th ... oval:org.secpod.oval:def:56955 This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. If you enable this policy setting, users cannot list or restore previous versions of files on local disks. If you ... oval:org.secpod.oval:def:56933 This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitoring for file and program activity will be disabled. Fix: (1) GPO: Co ... oval:org.secpod.oval:def:57122 Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update service. When this policy is enabled, Automatic Updates will install recommended updates as well as important updates from Windows Update update service. When disabled or n ... oval:org.secpod.oval:def:57079 This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you enable this policy setting and the Retain old events policy setting is enabled, the Event Log file is automatically closed and ... oval:org.secpod.oval:def:56687 Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Setti ... oval:org.secpod.oval:def:56942 This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable this setting, the network protection will be disabled. Fix: (1) GPO: Computer Configura ... oval:org.secpod.oval:def:56503 Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows In ... oval:org.secpod.oval:def:56983 This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registr ... oval:org.secpod.oval:def:57198 This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not confi ... oval:org.secpod.oval:def:56123 Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. If the status is set to Enabled, Windows Security does not appear in Settings ... oval:org.secpod.oval:def:56527 This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do n ... oval:org.secpod.oval:def:56651 Allows files to be automatically copied and maintained simultaneously on multiple servers. If this service is stopped, file replication will not occur and servers will not synchronize. If this service is disabled, any services that explicitly depend on it will fail to start. This service was previou ... oval:org.secpod.oval:def:57004 This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution protocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolve the name, retrieve the corresponding address, and e ... oval:org.secpod.oval:def:56713 Enables scanned documents to be sent from scanners to the scan server and routes them to the correct destinations. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Distributed Scan Server Service (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ ... oval:org.secpod.oval:def:56096 This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in ... oval:org.secpod.oval:def:56766 Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will ... oval:org.secpod.oval:def:57219 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ... oval:org.secpod.oval:def:56374 This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant mess ... oval:org.secpod.oval:def:56281 This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting t ... oval:org.secpod.oval:def:57228 Enables user notification of user input for interactive services, which enables access to dialogs created by interactive services when they appear. If this service is stopped, notifications of new interactive service dialogs will no longer function and there may no longer be access to interactive se ... oval:org.secpod.oval:def:56843 Specifies whether the computers to which this setting is applied may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries, if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example ser ... oval:org.secpod.oval:def:56287 Monitors the state of this virtual machine by reporting a heartbeat at regular intervals. This service helps you identify running virtual machines that have stopped responding. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Hyper-V Heartbeat Service (2) RE ... oval:org.secpod.oval:def:56483 This setting causes the Windows Installer to enforce strict rules for component upgrades - setting this may cause some updates to fail. If you enable this policy setting strict upgrade rules will be enforced by the Windows Installer. Upgrades can fail if they attempt to do one of the following: (1 ... oval:org.secpod.oval:def:57166 This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. This policy setting determines if the server side SMB service is r ... oval:org.secpod.oval:def:56976 Enables applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you disable this policy setting or do not configure it, users can see and change this ... oval:org.secpod.oval:def:56029 The WcsPlugInService service hosts third-party Windows Color System color device module and gamut map model plug-in modules. These plug-in modules are vendor-specific extensions to the Windows Color System baseline color device and gamut map modules. Stopping or disabling the WcsPlugInService servic ... oval:org.secpod.oval:def:56698 Specifies whether Remote Desktop Services retains a user&apos;s per-session temporary folders at logoff. You can use this setting to maintain a user&apos;s session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services ... oval:org.secpod.oval:def:56603 This policy setting allows you to control whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting. If you enable this policy setting, Windows Automatic Update and Microsoft Update will include non-administrators when determining whi ... oval:org.secpod.oval:def:56822 This service is responsible for loading and unloading user profiles. If this service is stopped or disabled, users will no longer be able to successfully logon or logoff, applications may have problems getting to users&apos; data, and components registered to receive profile event notifications ... oval:org.secpod.oval:def:56030 Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Win ... oval:org.secpod.oval:def:56114 This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. If you enable or do not co ... oval:org.secpod.oval:def:56802 This policy setting allows you to specify whether the default client printer is the only printer redirected in Remote Desktop Services sessions. If you enable this policy setting, only the default client printer is redirected in Remote Desktop Services sessions. If you disable or do not configure ... oval:org.secpod.oval:def:56230 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches i ... oval:org.secpod.oval:def:56990 Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Filesystem\NTFS!Do not allow compression on all NTFS volumes (2) REG: HKEY_L ... oval:org.secpod.oval:def:56520 This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. If you disable or do not configure this policy setting, the local setting is used. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Shutdown!R ... oval:org.secpod.oval:def:56180 When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. This policy setting only effects printing to a Windows print server. If you enable this policy setting on a client machine, the cli ... oval:org.secpod.oval:def:56351 This policy setting allows you to enable or disable the Add/Remove location options on the All Locations menu as well as any defined locations that were made by a user. When this policy is not configured, the default behavior is to allow users to add and remove new locations to the locations menu. W ... oval:org.secpod.oval:def:56055 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification ... oval:org.secpod.oval:def:56418 This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in pla ... oval:org.secpod.oval:def:57175 Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settin ... oval:org.secpod.oval:def:56918 This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configur ... oval:org.secpod.oval:def:56874 This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy ... oval:org.secpod.oval:def:56786 This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a Logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user must ... oval:org.secpod.oval:def:56153 Specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Ser ... oval:org.secpod.oval:def:56904 Enabling this policy allows indexing of mail items on a Microsoft Exchange server when Microsoft Outlook is not running in cached mode. The default behavior for search is to not index uncached Exchange folders. Disabling this policy will block any indexing of uncached Exchange folders. Delegate mail ... oval:org.secpod.oval:def:56778 This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-j ... oval:org.secpod.oval:def:57202 This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to selec ... oval:org.secpod.oval:def:57185 If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the Allow users to log on using bi ... oval:org.secpod.oval:def:57193 Optimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running. It can be disabled, though doing so will degrade application performance. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Serv ... oval:org.secpod.oval:def:56521 This policy setting configures whether or not users can provision certificates on Enhanced Storage certificate silo devices. If you enable this policy setting, users can provision certificates on Enhanced Storage certificate silo devices. If you disable or do not configure this policy setting, use ... oval:org.secpod.oval:def:56849 This policy prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that shipped with the operating system. Note that this does not affect the selection of replacement locales. To prevent the selection of replacement locales, ad ... oval:org.secpod.oval:def:56763 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options!Interactive logon: Machine in ... oval:org.secpod.oval:def:57203 This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the SCM enter a comma deli ... oval:org.secpod.oval:def:56040 Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership ... oval:org.secpod.oval:def:56477 This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop. If you enable this setting, desktop gadgets will be turned off. If you disable or do not configure this setting, desktop gadgets will be turned on. The defa ... oval:org.secpod.oval:def:56547 This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy s ... oval:org.secpod.oval:def:56927 This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will not be created. Fix: (1) GPO: Compu ... oval:org.secpod.oval:def:56707 This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate tem ... oval:org.secpod.oval:def:56320 This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) cloud. This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client computer can detect other computers to initiate chat sess ... oval:org.secpod.oval:def:56992 This policy setting allows you to enforce or ignore the computer&apos;s local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer&apos;s local list of blocked TPM commands and will only block those TPM commands specifie ... oval:org.secpod.oval:def:56098 This policy setting turns off Windows presentation settings. If you enable this policy setting, Windows presentation settings cannot be invoked. If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification ar ... oval:org.secpod.oval:def:56383 This policy setting prevents Local Group Policy objects (Local GPOs) from being applied. By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and ap ... oval:org.secpod.oval:def:56750 Provides user experience theme management. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Themes (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Themes!Start oval:org.secpod.oval:def:57091 This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then ... oval:org.secpod.oval:def:56292 This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer&apos;s respective Windows logon screen. If you enable this policy setting, intruders cannot collect account names visually from the screen ... oval:org.secpod.oval:def:56929 This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files will not be scanned. Fix: (1) GPO: ... oval:org.secpod.oval:def:56291 This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context &apos;p2p pnrp peer&apos;. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!PNRP Machine Name Publication Service (2) REG: H ... oval:org.secpod.oval:def:56734 Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Installer (2) REG: H ... oval:org.secpod.oval:def:56338 This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, re ... oval:org.secpod.oval:def:56906 This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted befo ... oval:org.secpod.oval:def:56127 Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don&apos;t con ... oval:org.secpod.oval:def:56649 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows ... oval:org.secpod.oval:def:56578 This policy controls whether the print spooler will accept client connections. When the policy is unconfigured, the spooler will not accept client connections until a user shares out a local printer or opens the print queue on a printer connection, at which point spooler will begin accepting client ... oval:org.secpod.oval:def:56760 Allow Automatic Sleep with Open Network Files. If you enable this policy setting, the computer will automatically sleep when network files are open. If you disable this policy setting, the computer will not automatically sleep when network files are open. Fix: (1) GPO: Computer Configuration\Adm ... oval:org.secpod.oval:def:56836 Allows the redirection of Printers/Drives/Ports for RDP connections Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Remote Desktop Services UserMode Port Redirector (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UmRdpService!Start oval:org.secpod.oval:def:57025 This policy controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or comp ... oval:org.secpod.oval:def:56620 Allows the system to be configured to lock the user desktop upon smart card removal. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Smart Card Removal Policy (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SCPolicySvc!Start oval:org.secpod.oval:def:56198 The Windows Process Activation Service (WAS) provides process activation, resource management and health management services for message-activated applications. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Process Activation Service (2) REG: HKEY ... oval:org.secpod.oval:def:56773 This service delivers network notifications (e.g. interface addition/deleting etc) to user mode clients. Stopping this service will cause loss of network connectivity. If this service is disabled, any other services that explicitly depend on this service will fail to start. Fix: (1) GPO: Computer ... oval:org.secpod.oval:def:56499 This setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not effect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. Applications such as UPS software may rely o ... oval:org.secpod.oval:def:56173 This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. This poli ... oval:org.secpod.oval:def:57011 This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. This policy setting controls whether the computer can ... oval:org.secpod.oval:def:57169 Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\S ... oval:org.secpod.oval:def:56309 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - \Program Files\, including subfolders - \Windows\system32\ - \Pr ... oval:org.secpod.oval:def:56697 Windows Mail will not check your newsgroup servers for Communities support. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Mail!Turn off the communities features (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail!DisableCommunities oval:org.secpod.oval:def:56136 This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define addit ... oval:org.secpod.oval:def:56634 Prevents Group Policy from being updated while the computer is in use. This setting applies to Group Policy for computers, users, and domain controllers. If you enable this setting, the system waits until the current user logs off the system before updating the computer and user settings. If you d ... oval:org.secpod.oval:def:56747 This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, ... oval:org.secpod.oval:def:57074 Enable this policy to prevent indexing of any Microsoft Outlook items. The default is to automatically index Outlook items. If this policy is enabled then the user&apos;s Outlook items will not be added to the index and the user will not see them in search results. Fix: (1) GPO: Computer Confi ... oval:org.secpod.oval:def:56972 Specifies whether Events.asp hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hot links that activate the Internet browser when clicked. In addition, More Information is placed at the end of the description text if the ev ... oval:org.secpod.oval:def:56870 Turns off Windows Network Isolation&apos;s automatic proxy discovery in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation&apos;s automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy ... oval:org.secpod.oval:def:56168 This service is used to protect data through the Group Data Protection API. It is also used to support a number of system features including BitLocker on clustered volumes, Managed Service Accounts, and secure DNS. If this service is stopped, those features will no longer work. Fix: (1) GPO: Compu ... oval:org.secpod.oval:def:56507 Maintains a database of iSNS client registrations and notifies clients when changes are made to the database. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Microsoft iSNS Server (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msisns!Start oval:org.secpod.oval:def:56235 Enable this policy setting to prevent the indexing of the content of e-mail attachments. If enabled, indexing service components (including non-Microsoft components) are expected not to index e-mail attachments. Consider enabling this policy if you are concerned about the security or indexing perfor ... oval:org.secpod.oval:def:56468 This policy setting turns off the option to periodically wake the computer to update information on Windows SideShow-compatible devices. If you enable this policy setting, the option to automatically wake the computer will not be available in the Windows SideShow Control Panel. If you disable or d ... oval:org.secpod.oval:def:56143 Manages user-mode driver host processes. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Windows Driver Foundation - User-mode Driver Framework (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wudfsvc!Start oval:org.secpod.oval:def:56769 Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\System Services!Device Install Service (2) REG: HKEY_LOCAL_MACH ... oval:org.secpod.oval:def:57063 This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can be backed up. If you enable this policy setting, machine administrator/backup operator can backup only volumes hosting OS components and no data only volumes can be backed up. ... oval:org.secpod.oval:def:56844 This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. Warning: When a domain does not support Kerberos armoring by enabling Support Dynamic Access Control and Kerberos armoring, then all authentication for al ... oval:org.secpod.oval:def:56948 This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time o ... oval:org.secpod.oval:def:56821 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall wi ... oval:org.secpod.oval:def:56666 This policy setting allows you to specify whether to use the RD Connection Broker load balancing feature to balance the load between servers in an RD Session Host server farm. If you enable this policy setting, RD Connection Broker redirects users who do not have an existing session to the RD Sessi ... oval:org.secpod.oval:def:56764 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification ... oval:org.secpod.oval:def:56501 Directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed. This setting and related settings in this folder tog ... oval:org.secpod.oval:def:56054 Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (instal ... oval:org.secpod.oval:def:56332 This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, t ... oval:org.secpod.oval:def:56599 This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the oper ... oval:org.secpod.oval:def:57232 This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM enter a comma delimited l ... oval:org.secpod.oval:def:56584 This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user right in the SCM enter a comma ... oval:org.secpod.oval:def:57099 This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. This policy setting determines who ... oval:org.secpod.oval:def:56825 This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista. When ... oval:org.secpod.oval:def:57092 This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring a user right in the SCM enter a comma delimited list of accounts ... oval:org.secpod.oval:def:56302 This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principa ... oval:org.secpod.oval:def:56166 This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Note Older operating systems and some third- ... oval:org.secpod.oval:def:56611 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log o ... oval:org.secpod.oval:def:56167 This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client sessions with the SMB service will be forcibly disconnected when the client's log ... oval:org.secpod.oval:def:57221 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constraine ... oval:org.secpod.oval:def:57204 This policy setting allows users to manage the system&apos;s volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be ... oval:org.secpod.oval:def:57165 This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a user right in the SCM enter a comma ... oval:org.secpod.oval:def:56913 If you enable this policy setting, users are required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a user first need to press CTRL+ALT+DEL. This policy s ... oval:org.secpod.oval:def:57019 This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the Users can't add Microsoft accounts option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account t ... oval:org.secpod.oval:def:56621 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... oval:org.secpod.oval:def:56824 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:90029 This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use.The recommended state for this setting is: Enabled: RPC over TCP.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC listener ... oval:org.secpod.oval:def:90033 This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print.The recommended state for this setting is: Enabled: Show warning and elevation prompt.Fix:(1) GPO: Computer Configuration\Policies\Admin ... oval:org.secpod.oval:def:56048 This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ... oval:org.secpod.oval:def:56653 Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this ... oval:org.secpod.oval:def:85625 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Guest. Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. ... oval:org.secpod.oval:def:56761 This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user names on the workstations in your environment. This policy setting al ... oval:org.secpod.oval:def:56047 This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessib ... oval:org.secpod.oval:def:56916 This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart compu ... oval:org.secpod.oval:def:56654 This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer&apos;s respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from t ... oval:org.secpod.oval:def:57148 This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerate the names of domain accounts and network shares. An unauthorized ... oval:org.secpod.oval:def:90030 This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use.The recommended state for this setting is: Enabled: Negotiate or higher.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC l ... oval:org.secpod.oval:def:56648 This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows based networks helps to prevent sessions from being hijacked. If you enable this policy setting, the Microsoft network client will use signing only if ... oval:org.secpod.oval:def:57095 This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has no ... oval:org.secpod.oval:def:56147 This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing po ... oval:org.secpod.oval:def:56711 When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to sh ... oval:org.secpod.oval:def:57064 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Select On to allow Wi ... oval:org.secpod.oval:def:85619 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password co ... oval:org.secpod.oval:def:56593 This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encr ... oval:org.secpod.oval:def:90034 This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print.The recommended state for this setting is: Enabled: Show warning and elevationprompt.Fix:(1) GPO: Computer Configuration ... oval:org.secpod.oval:def:56775 This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case i ... oval:org.secpod.oval:def:56422 This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for ... oval:org.secpod.oval:def:56794 This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setti ... oval:org.secpod.oval:def:56466 This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If ... oval:org.secpod.oval:def:56923 The Telnet service supports connections from various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. Telnet Server for Windows provides ASCII terminal sessions to Telnet clients. Telnet Server supports two types of authentication and supports four types of terminals: ANSI, V ... oval:org.secpod.oval:def:57144 Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the status is ... oval:org.secpod.oval:def:57119 When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel da ... oval:org.secpod.oval:def:57168 This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. This policy setting determines how far in advance users are warned ... oval:org.secpod.oval:def:56827 This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, lo ... oval:org.secpod.oval:def:56826 This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment. The Network access: Do ... oval:org.secpod.oval:def:57171 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Windows Firewall with ... oval:org.secpod.oval:def:56749 This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy ... oval:org.secpod.oval:def:56828 This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. Microsoft recomme ... oval:org.secpod.oval:def:56049 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:57022 This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be very dangerous to add other s ... oval:org.secpod.oval:def:56325 This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same na ... oval:org.secpod.oval:def:56329 Microsoft recommends that you use this setting, if appropriate to your environment and your organization&apos;s business requirements, to help protect end user computers. This policy setting specifies a text message that displays to users when they log on. This policy setting specifies a text m ... oval:org.secpod.oval:def:94748 This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success . Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy. Fix: (1) GPO: Computer Configuration\ ... oval:org.secpod.oval:def:82082 This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the compu ... oval:org.secpod.oval:def:82081 This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, ... oval:org.secpod.oval:def:82080 This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful ... oval:org.secpod.oval:def:82086 This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: Ca ... oval:org.secpod.oval:def:82085 This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. ... oval:org.secpod.oval:def:82084 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. If you disable or do not c ... oval:org.secpod.oval:def:82083 This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful a ... oval:org.secpod.oval:def:82079 Determines when registry policies are updated. This setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. If you enab ... oval:org.secpod.oval:def:82078 Determines when registry policies are updated. This setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. If you enab ... oval:org.secpod.oval:def:82077 This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resour ... oval:org.secpod.oval:def:82076 This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through a ... oval:org.secpod.oval:def:82071 This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In ... oval:org.secpod.oval:def:82070 This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers ... oval:org.secpod.oval:def:82075 This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Win ... oval:org.secpod.oval:def:82074 Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Note: This policy does not apply to Windows RT. This setting lets you specify whether automatic updates are enabled on this computer. If the service is enable ... oval:org.secpod.oval:def:82073 This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detec ... oval:org.secpod.oval:def:82072 This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the users password for authentication purposes. Storing passwords using reversible encryption is ess ... oval:org.secpod.oval:def:82068 This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: Assign the Deny ... oval:org.secpod.oval:def:82067 This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. Default: Administrators. Counter Measure: Ensure that only the local Administrators group is assigned the Profile system performance user right. Potential Impact: ... oval:org.secpod.oval:def:82066 This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not configure this policy setting, KMS client activation data w ... oval:org.secpod.oval:def:82065 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ... oval:org.secpod.oval:def:82069 This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. Counter Measure: Configure this user right so that no account ... oval:org.secpod.oval:def:82099 This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: Trusted Platform Module (TPM) configuration changes. Kernel-mode cryptographic self tests. Cryptographic provider operation ... oval:org.secpod.oval:def:82098 This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 appli ... oval:org.secpod.oval:def:82093 This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable or do not configure this policy setting, use ... oval:org.secpod.oval:def:82092 This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do ... oval:org.secpod.oval:def:82091 This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed ... oval:org.secpod.oval:def:82090 Manages a Windows app&apos;s ability to share data between users who have installed the app. If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. ... oval:org.secpod.oval:def:82097 Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote conne ... oval:org.secpod.oval:def:82096 This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only fai ... oval:org.secpod.oval:def:82094 This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under &quot;Get Insider builds,&quot; and enable users to make their devices available for downloading and installing Windows preview soft ... oval:org.secpod.oval:def:82088 This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows ... oval:org.secpod.oval:def:82087 This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the &quot;Authentication Policy Change&quot; subcategory. Remova ... oval:org.secpod.oval:def:82042 This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Ser ... oval:org.secpod.oval:def:82041 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:82040 If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. Valid values range from 1 to 89,400 seconds (24 hours). The setting has no effect if the wait time is set to zero or no screen saver has bee ... oval:org.secpod.oval:def:82035 The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 re ... oval:org.secpod.oval:def:82034 This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. This policy setting allows you to set the encryption types that Kerberos is allowed to use. Fix: (1) GPO: Computer Configuration\W ... oval:org.secpod.oval:def:82033 This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local compute ... oval:org.secpod.oval:def:82032 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:82039 This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including Set up a wireless router or access point and Add a wireless de ... oval:org.secpod.oval:def:82038 This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, ... oval:org.secpod.oval:def:82037 This subcategory reports other account management events. Events for this subcategory include: ? 4782: The password hash an account was accessed. ? 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in ... oval:org.secpod.oval:def:82036 This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: ? 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in ... oval:org.secpod.oval:def:82031 If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. If this setting is enabled, then all screen savers are password protected. Fix: (1) GPO: User Configuration\Admi ... oval:org.secpod.oval:def:82030 This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed pr ... oval:org.secpod.oval:def:82029 This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable this policy setting, users cannot participate in ... oval:org.secpod.oval:def:82024 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this ... oval:org.secpod.oval:def:82023 This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: ? 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ? 4615 : Invalid use of LPC port. ? 4618 : A monitored ... oval:org.secpod.oval:def:82022 This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user&apos;s computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the ... oval:org.secpod.oval:def:82021 The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\ Parameters\ registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS ser ... oval:org.secpod.oval:def:82028 This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 Wi-Fi, through the Windows Portable Device API (WPD), and via USB Flash drives. Additiona ... oval:org.secpod.oval:def:82027 This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not ... oval:org.secpod.oval:def:82026 This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This sub ... oval:org.secpod.oval:def:82025 This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook? Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setting requires that files be downloaded to NTFS disk part ... oval:org.secpod.oval:def:82060 This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: T ... oval:org.secpod.oval:def:82064 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ... oval:org.secpod.oval:def:82063 This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabl ... oval:org.secpod.oval:def:82062 Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Counter Measure: Enable this setting. Potential Impact: Lo ... oval:org.secpod.oval:def:82061 When you enable this setting, planned password expiration longer than password age dictated by Password Settings policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not configure this se ... oval:org.secpod.oval:def:82057 This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application group. If you enable this Audit policy setting, administrators can track events to detect m ... oval:org.secpod.oval:def:82056 This subcategory reports changes in authentication policy. Events for this subcategory include: ? 4706: A new trust was created to a domain. ? 4707: A trust to a domain was removed. ? 4713: Kerberos policy was changed. ? 4716: Trusted domain information was modified. ? 4717: System security access w ... oval:org.secpod.oval:def:82055 Specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this setting, the task Order Prints Online is removed from Picture Tasks i ... oval:org.secpod.oval:def:82054 This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system ... oval:org.secpod.oval:def:82059 Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ... oval:org.secpod.oval:def:82058 System-wide Structured Exception Handler Overwrite Protection setting Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\EMET\System SEHOP (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings!SEHOP oval:org.secpod.oval:def:82053 This policy setting determines whether to require domain users to elevate when setting a network&apos;s location. If you enable this policy setting, domain users must elevate when setting a network&apos;s location. If you disable or do not configure this policy setting, domain users can se ... oval:org.secpod.oval:def:82052 This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it&apos;s connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network healt ... oval:org.secpod.oval:def:82051 This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: ? 4608: Windows is starting up. ? 4609: Windows is shutting down. ? 4616: The system time was changed. ? 4621: Administrator recovered system f ... oval:org.secpod.oval:def:82050 This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to shar ... oval:org.secpod.oval:def:82046 This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: ? 4715: The audit policy (SACL) on an object was changed. ? 4719: System audit policy was changed. ? 4902: The Per-user audit policy table was created. ? 4904: An attempt was made to registe ... oval:org.secpod.oval:def:82045 This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: ? 4741: A computer account was created. ? 4742: A computer account was changed. ? 4743: A computer acc ... oval:org.secpod.oval:def:82044 The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 ... oval:org.secpod.oval:def:82043 This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver will run if the followin ... oval:org.secpod.oval:def:82049 The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to Do ... oval:org.secpod.oval:def:82048 This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and ... oval:org.secpod.oval:def:82047 This subcategory reports on other system events. Events for this subcategory include: ? 5024 : The Windows Firewall Service has started successfully. ? 5025 : The Windows Firewall Service has been stopped. ? 5027 : The Windows Firewall Service was unable to retrieve the security policy from the loca ... oval:org.secpod.oval:def:82020 This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled ... oval:org.secpod.oval:def:82019 The registry value entry KeepAliveTime was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE. This ... oval:org.secpod.oval:def:82018 Antivirus programs are mandatory in many environments and provide a strong defense against attack. The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, this policy setting configures Windows to call the reg ... oval:org.secpod.oval:def:82013 This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: ? 4649: A replay attack was detected. ? 4778 ... oval:org.secpod.oval:def:82012 This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: ? 4964 : Special groups have been assigned to a new logon. Refer to the Microso ... oval:org.secpod.oval:def:82011 This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, acc ... oval:org.secpod.oval:def:82010 This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SM ... oval:org.secpod.oval:def:82017 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including g ... oval:org.secpod.oval:def:82016 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... oval:org.secpod.oval:def:82015 The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. The DLL search order can be config ... oval:org.secpod.oval:def:82014 This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can ... oval:org.secpod.oval:def:82009 This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: ? 4610: An authentication package has been loaded by the Local Security Authority. ? 4611: A trusted logon process has been registered with the Local ... oval:org.secpod.oval:def:82008 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:82007 Determines if an anonymous user can request security identifier (SID) attributes for another user. oval:org.secpod.oval:def:82006 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip \Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 i ... oval:org.secpod.oval:def:82005 This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. If you enable this policy setting, users are not gi ... oval:org.secpod.oval:def:89594 This policy setting allows you to configure script scanning. If you enable or do not configure this setting, script scanning will be enabled. If you disable this setting, script scanning will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Microso ... oval:org.secpod.oval:def:89595 This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account access ... oval:org.secpod.oval:def:89592 This policy setting lets you turn off cloud consumer account state content in all Windows experiences. If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. If you disable or do not co ... oval:org.secpod.oval:def:89593 Local Administrator Password Solution (LAPS) tool is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and member servers. The passwords are stored in a confidential attribute of th ... oval:org.secpod.oval:def:89591 This policy allows you to audit the group membership information in the user logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a ne ... oval:org.secpod.oval:def:89606 Determines whether users that aren't Administrators can install print drivers on this computer. By default, users that aren't Administrators can't install print drivers on this computer. If you enable this setting or do not configure it, the system will limit installation of print drivers to Admin ... oval:org.secpod.oval:def:89607 This policy setting controls whether Windows attempts to connect with the OneSettings service. If you enable this policy, Windows will not attempt to connect with the OneSettings Service. If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the O ... oval:org.secpod.oval:def:89604 This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data. By enabling this setting, Windows Error Reporting is limited to sending kernel mini ... oval:org.secpod.oval:def:89605 This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequently download daily images from Microsoft to desktop. If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings. If ... oval:org.secpod.oval:def:89602 This policy setting controls whether Windows records attempts to download configuration settings from the OneSettings service to the EventLog. If you enable this policy, Windows will record attempts to download configuration settings from the OneSettings service to the Microsoft\Windows\Privacy-Aud ... oval:org.secpod.oval:def:89603 This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. By enabling this policy setting, diagnostic logs ... oval:org.secpod.oval:def:89601 Disabling this setting turns off search highlights in the taskbar search box and in search home. Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. Fix: (1) GPO: Computer Configuration/Administrative Templates/Windows Components/Sear ... oval:org.secpod.oval:def:82398 Enable or disable file hash computation feature. Enabled: When this feature is enabled Microsoft Defender will compute hash value for files it scans. Disabled: File hash value is not computed Not configured: Same as Disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Win ... oval:org.secpod.oval:def:82397 This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download fo ... oval:org.secpod.oval:def:82396 This policy setting lets you turn off cloud optimized content in all Windows experiences. If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. If you disable or do not configure this policy, Windows ... oval:org.secpod.oval:def:82395 This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share ... oval:org.secpod.oval:def:82399 Enables or disables the retrieval of online tips and help for the Settings app. If disabled, Settings will not contact Microsoft content services to retrieve tips and help content. Fix: (1) GPO: Computer Configuration\Administrative Templates\Control Panel\Allow Online Tips (2) REG: HKEY_LOCAL_ ... oval:org.secpod.oval:def:82394 This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana ... oval:org.secpod.oval:def:82393 This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audit ... oval:org.secpod.oval:def:82119 This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device ... oval:org.secpod.oval:def:82118 This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Messa ... oval:org.secpod.oval:def:82117 This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically ... oval:org.secpod.oval:def:82112 This policy prevents the user from showing account details (email address or user name) on the sign-in screen. If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. If you disable or do not configure this policy setting, the user may choose to sho ... oval:org.secpod.oval:def:82111 Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices. Fix: (1) GPO: Computer Configuration\Admin ... oval:org.secpod.oval:def:82110 Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the dev ... oval:org.secpod.oval:def:82116 This policy setting allows you to require a pin for pairing. If you set this to 'Never', a pin isn't required for pairing. If you set this to 'First Time', the pairing ceremony for new devices will always require a PIN. If you set this to 'Always', all pairings will require PIN. Fix: (1) GPO: ... oval:org.secpod.oval:def:82115 This policy setting allow the use of Camera devices on the machine. If you enable or do not configure this policy setting, Camera devices will be enabled. If you disable this property setting, Camera devices will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windo ... oval:org.secpod.oval:def:82114 This policy setting determines whether published User Activities can be uploaded. If you enable this policy setting, activities of type User Activity are allowed to be uploaded. If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. Deletion of activitie ... oval:org.secpod.oval:def:82113 This policy setting determines whether Clipboard contents can be synchronized across devices. If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. If you disable this policy setting, Clipbo ... oval:org.secpod.oval:def:82109 This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device ex ... oval:org.secpod.oval:def:82108 Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require ... oval:org.secpod.oval:def:82107 Remote host allows delegation of non-exportable credentials When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host s ... oval:org.secpod.oval:def:82106 Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable ... oval:org.secpod.oval:def:82101 This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. If you do not configure this policy setting, users will be able to choose whether or not to use enhanced anti-spoofing on supported devices. If you enable this policy setting, Windows ... oval:org.secpod.oval:def:82100 This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this policy setting, the SMB client will reject ... oval:org.secpod.oval:def:82105 This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications fr ... oval:org.secpod.oval:def:82104 Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, ... oval:org.secpod.oval:def:82102 This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note 2: If your organiza ... oval:org.secpod.oval:def:82139 This policy setting sets the Attack Surface Reduction rules. Attack surface reduction helps prevent actions and apps that are typically used by exploit- seeking malware to infect machines. Fix: (1) GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender An ... oval:org.secpod.oval:def:82134 Sets the NetBIOS node type. When WINS servers are used, the default is hybrid (h), otherwise broadcast (b).This policy settings allows you to manage the computer's NetBIOS node type. The selected NetBIOS node type determines what methods NetBT will use to register and resolve names. If you enable t ... oval:org.secpod.oval:def:82133 Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.) Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.) Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2 ... oval:org.secpod.oval:def:82132 Configures the SMB v1 client driver's start type. To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown. WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! For Windows 7 and Servers 2008, ... oval:org.secpod.oval:def:82131 This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. If you disable this policy setting, network connectivity in standby is not guaranteed. This ... oval:org.secpod.oval:def:82138 This policy setting lets you turn off all Windows Spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimi ... oval:org.secpod.oval:def:82137 This policy setting lets you prevent Windows from using diagnostic data to provide tailored experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device (this data may include browser, app and feature usage, depending on the "diagnostic data" set ... oval:org.secpod.oval:def:82136 If you enable this policy, Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers. Users may still see suggestions and tips to make them more productive with Microsoft features a ... oval:org.secpod.oval:def:82135 This policy setting lets you configure Windows spotlight on the lock screen. If you enable this policy setting, "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotlight" will display daily images from Microsoft on the loc ... oval:org.secpod.oval:def:82130 This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. If you disable this policy setting, network connectivity in standby is not guaranteed. This ... oval:org.secpod.oval:def:82128 Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: Specify the mode in the Options section: -Block: Potentially unwanted software ... oval:org.secpod.oval:def:82123 Allow Windows Ink Workspace Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace\Allow Windows Ink Workspace (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace!AllowWindowsInkWorkspace oval:org.secpod.oval:def:82122 Allow suggested apps in Windows Ink Workspace Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace\Allow suggested apps in Windows Ink Workspace (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace!AllowSuggestedAppsInWindo ... oval:org.secpod.oval:def:82121 Allow search and Cortana to search cloud sources like OneDrive and SharePoint Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cloud Search (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCloudSearch oval:org.secpod.oval:def:82120 Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Blo ... oval:org.secpod.oval:def:82127 Enable this policy to specify when to receive quality updates. You can defer receiving quality updates for up to 30 days. To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clea ... oval:org.secpod.oval:def:82126 Enable this policy to specify when to receive Feature Updates. Defer Updates | This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from ... oval:org.secpod.oval:def:82125 Enable this policy to manage which updates you receive prior to the update being released to the world. Dev Channel Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matc ... oval:org.secpod.oval:def:82124 Prevent users from making changes to the Exploit protection settings area in Windows Security. Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as D ... oval:org.secpod.oval:def:90040 This policy setting specifies if the Domain Name System (DNS) client will perform name resolution over Network Basic Input-Output System (NetBIOS). NetBIOS is a legacy name resolution method for internal Microsoft networking that predates the use of DNS for that purpose (Pre-Active Directory). Some ... oval:org.secpod.oval:def:90041 This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts. When deployed, this policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU. When th ... oval:org.secpod.oval:def:90042 This policy setting controls packet level privacy for Remote Procedure Call (RPC) incoming connections. Fix: (1) GPO: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure RPC packet level privacy setting for incoming connections (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\Cu ... oval:org.secpod.oval:def:90043 This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS). For more information, see https://support.microsoft.com/help/4034879 . Some important points: * Before con ... oval:org.secpod.oval:def:90026 This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler.The recommended state for this setting is: Enabled: RPC over TCP Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Conf ... oval:org.secpod.oval:def:90027 This policy setting determines whether Redirection Guard is enabled for the print spooler. Redirection Guard can prevent file redirections from being used within the print spooler.The recommended state for this setting is: Enabled: Redirection Guard Enabled Fix:(1) GPO: Computer Configuration\Polici ... oval:org.secpod.oval:def:90028 This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler.The recommended state for this setting is: Enabled: Default Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Configure ... oval:org.secpod.oval:def:90037 This policy setting controls whether or not users can override the SHA256 security validation in the Windows Package Manager settings. Users should not have the ability to override SHA256 security validation. The recommended state for this setting is: Disabled . Fix: (1) GPO: Computer Configurati ... oval:org.secpod.oval:def:90038 This policy setting controls whether users can install packages from a website that is using the ms-appinstaller protocol. The ms-appinstaller protocol allows users to install an application by clicking a link on a website. The recommended state for this setting is: Disabled . Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:90039 This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web. In a high security managed environment, application installations should be managed centrally by IT staff, not by end users. The recommended state for this settin ... oval:org.secpod.oval:def:90031 This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.The recommended state for this setting is: Enabled: 0.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Config ... oval:org.secpod.oval:def:90032 This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client th ... oval:org.secpod.oval:def:90035 This policy setting controls whether user have access to the Windows Package Manager. Windows Package Manager is a package manager solution that consists of a command line tool and set of services for installing applications on Microsoft Windows Server 2019 (or newer). The recommended state for thi ... oval:org.secpod.oval:def:90036 This policy setting controls whether user have access to the Windows Package Manager. Windows Package Manager is a package manager solution that consists of a command line tool and set of services for installing applications on Microsoft Windows Server 2019 (or newer). The recommended state for thi ... oval:org.secpod.oval:def:92676 Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. ... oval:org.secpod.oval:def:97860 This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. ... oval:org.secpod.oval:def:97861 The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using a file system that supports NTFS attributes. oval:org.secpod.oval:def:97862 The built-in administrator account must be renamed. oval:org.secpod.oval:def:97864 This security setting determines whether to disconnect users who are connected to the local computer outside their user accounts valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibl ... oval:org.secpod.oval:def:97863 Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.The following list shows the supported values:0 = HTTP only, no peering.1 = HTTP blended with peering behind the same NAT.2 = HTTP blended with peering across a private group. Peeri ... oval:org.secpod.oval:def:61335 The host is missing an important security update 4524244. oval:org.secpod.oval:def:51385 A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. To exploit the vulnerability, an attacker could send a sp ... oval:org.secpod.oval:def:51391 A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. To exploit the vulnerability, an attacker could send a sp ... oval:org.secpod.oval:def:51386 A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. To exploit the vulnerability, an attacker could send a sp ... oval:org.secpod.oval:def:54741 The host is missing an important security update for KB4494441 oval:org.secpod.oval:def:54702 An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it.To exploit the vulnerability, in a local attack scenario, an attacker could run a specially crafted application to ele ... oval:org.secpod.oval:def:54707 An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully decode and replace authentication request using Kerberos, allowing an attacker to be validated as an Administrator.The update addresses this vulnerability by changing how the ... oval:org.secpod.oval:def:54708 An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system.There are multiple ways an attacker could exploit th ... oval:org.secpod.oval:def:58489 An elevation of privilege vulnerability exists in Windows Audio Service when a malformed parameter is processed. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges when used in conjunction with another vulnerability.To exploit the vulnerability ... oval:org.secpod.oval:def:61303 An elevation of privilege vulnerability exists when the Windows IME improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.The security update addre ... oval:org.secpod.oval:def:61301 An elevation of privilege vulnerability exists when the Windows Wireless Network Manager improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.The ... oval:org.secpod.oval:def:61300 An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations.To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.The s ... oval:org.secpod.oval:def:61299 An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker ... oval:org.secpod.oval:def:61298 An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.To exploit this vulnerability, an attacker would first have to log on t ... oval:org.secpod.oval:def:61297 An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.To exploit this vulnerability, an attacker would first have to log on t ... oval:org.secpod.oval:def:61296 An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker could ... oval:org.secpod.oval:def:61295 An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker could ... oval:org.secpod.oval:def:61294 An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker could ... oval:org.secpod.oval:def:61293 An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.To exploit this vulnerability, an attacker would first have to lo ... oval:org.secpod.oval:def:61225 A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view ... oval:org.secpod.oval:def:61236 An information disclosure vulnerability exists when the Telephony Service improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system.To exploit this vulnerability, an attacker would have to l ... oval:org.secpod.oval:def:61234 An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.To exploit this vulnerability, an attacker would first have to log on to the system. An attac ... oval:org.secpod.oval:def:61333 A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability can bypass secure boot and load untrusted software. To exploit the vulnerability, an attacker could run a specially crafted application. oval:org.secpod.oval:def:61920 An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system.There are multiple ways an attacker could exploit the ... oval:org.secpod.oval:def:63119 A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, wit ... oval:org.secpod.oval:def:63255 The host is missing an important security update for KB4556441 |
