ࡱ>  f2ɀ\pMatthew N. Wojcik Ba= ThisWorkbook=Zbt18X@"1@Calibri1@Arial1@Arial1@Arial1@Arial1@Arial1@Arial1@Arial1@Calibri1@Arial1@Calibri1Arial1 Arial1Arial14Arial1 Arial1Arial1Arial1,8Arial18Arial18Arial1>Arial14Arial1<Arial1?Arial1h8Cambria1Arial1 Arial"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)                                                                       ff  +  )  ,  *     P  P        ` (               a>  )0@ @  )8@ @ )8@ @ 8@ @ 0@ @  )p@ @  x@ @  )x@ @  x@ @  )p@ @  )x@ @   )8@ @ (8@ @ ||O`m}}}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}(} 00\);_(*}}}}}}}}}} }} }} }} }} }}}}}<} 00\);_(*ef_)?_);_(}<} 00\);_(*ef_)?_);_(}<} 00\);_(*ef_)?_);_(}<} 00\);_(*ef_)?_);_(}<} 00\);_(*ef_)?_);_(}<} 00\);_(*ef _)?_);_(}<} 00\);_(*L_)?_);_(}<} 00\);_(*L_)?_);_(}<} 00\);_(*L_)?_);_(}<} 00\);_(*L_)?_);_(}<} 00\);_(*L_)?_);_(}<} 00\);_(*L _)?_);_(}<} 00\);_(*23_)?_);_(}<} 00\);_(*23_)?_);_(}<} 00\);_(*23_)?_);_(}<} 00\);_(*23_)?_);_(}<}  00\);_(*23_)?_);_(}<}! 00\);_(*23 _)?_);_(}<}" 00\);_(*_)?_);_(}<}# 00\);_(*_)?_);_(}<}$ 00\);_(*_)?_);_(}<}% 00\);_(*_)?_);_(}<}& 00\);_(*_)?_);_(}<}' 00\);_(* _)?_);_(}<}( 00\);_(*_)?_);_(}}) }00\);_(*_)?_);_(   }}* 00\);_(*_)?_);_(??? ??? ??? ???}}+}},}}-}}.}(}/ 00\);_(*}<}0 a00\);_(*_)?_);_(}<}1 00\);_(*_)?_);_(}<}2 00\);_(*?_)?_);_(}<}3 00\);_(*23_)?_);_(}(}4 00\);_(*}}5 ??v00\);_(*̙_)?_);_(   }<}6 }00\);_(*_)?_);_(}<}8 e00\);_(*_)?_);_(}(}: 00\);_(*}};}}}<_(*;_(     }}= ???_(*;_(??? ??? ??? ???}}>}-}? _(*}P}@ _(*;_( }(}A _(*}}B}}F}-}G_(*}(}H_(*}(}I_(*}(}J_(*}-}K_(*}(}L_(* 20% - Accent1H 20% - Accent1 ef  20% - Accent2H" 20% - Accent2 ef  20% - Accent3H& 20% - Accent3 ef  20% - Accent4H* 20% - Accent4 ef  20% - Accent5H. 20% - Accent5 ef  20% - Accent6H2 20% - Accent6  ef  40% - Accent1H 40% - Accent1 L  40% - Accent2H# 40% - Accent2 L渷  40% - Accent3H' 40% - Accent3 L  40% - Accent4H+ 40% - Accent4 L  40% - Accent5H/ 40% - Accent5 L  40% - Accent6H3 40% - Accent6  Lմ  60% - Accent1H 60% - Accent1 23  60% - Accent2H$ 60% - Accent2 23ږ  60% - Accent3H( 60% - Accent3 23כ  60% - Accent4H, 60% - Accent4 23  60% - Accent5H0 60% - Accent5 23 ! 60% - Accent6H4 60% - Accent6  23  "Accent1<Accent1 O  #Accent2<!Accent2 PM  $Accent3<%Accent3 Y  %Accent4<)Accent4 d  &Accent5<-Accent5 K  'Accent6<1Accent6  F (Bad4Bad  ) Calculation| Calculation  } * Check Cellz Check Cell  ????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextB5Explanatory Text  0Good6Good  a1 Heading 1B Heading 1 I}O2 Heading 2B Heading 2 I}?3 Heading 3B Heading 3 I}234 Heading 44 Heading 4 I} 5InputpInput ̙ ??v 6 Linked CellF Linked Cell }7 My Normal 8Neutral<Neutral  e"Normal9 Normal 10 2: Normal 2 2 76< Normal 2 2 76 ; Normal 91 <Noteb Note   =OutputrOutput  ???????????? ???>$Percent ?Title1Title I}% @TotalHTotal OOA Warning Text: Warning Text XTableStyleMedium9PivotStyleLight16`win2k8r2 + CCE IDCCE DescriptionCCE ParametersCCE Technical Mechanisms CCE-12007-1EThe "6to4 Relay Name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\6to4 Relay Name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6TransitionMicrosoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Windows Server 2008 R2 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 CCE-12009-7YThe "6to4 Relay Name Resolution Interval" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\6to4 Relay Name Resolution Interval HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11356-3@The "6to4 State" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\6to4 State HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-12287-9lThe "ActiveX installation policy for sites in Trusted zones" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\ActiveX installation policy for sites in Trusted zones HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AxInstaller\AxISURLZonePolicies CCE-11699-6nThe "Add Printer wizard - Network scan page (Managed network)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Add Printer wizard - Network scan page (Managed network) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\Wizard CCE-11325-8pThe "Add Printer wizard - Network scan page (Unmanaged network)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Add Printer wizard - Network scan page (Unmanaged network) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\Wizard CCE-11456-1tThe "Add the Administrators security group to roaming user profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrators security group to roaming user profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11163-3]The "Administratively assigned offline files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Administratively assigned offline files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders CCE-11762-2dThe "All Removable Storage classes: Deny all access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\All Removable Storage classes: Deny all access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices CCE-11585-7sThe "All Removable Storage: Allow direct access in remote sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\All Removable Storage: Allow direct access in remote sessions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices CCE-10982-7^The "Allow .rdp files from unknown publishers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Allow .rdp files from unknown publishers HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11350-6}The "Allow .rdp files from valid publishers and user's default .rdp settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Allow .rdp files from valid publishers and user's default .rdp settings HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11465-2The "Allow access to BitLocker-protected fixed data drives from earlier versions of Windows" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Allow access to BitLocker-protected fixed data drives from earlier versions of Windows HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-11636-8The "Allow access to BitLocker-protected removable data drives from earlier versions of Windows" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Allow access to BitLocker-protected removable data drives from earlier versions of Windows HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-10520-5qThe "Allow admin to install from Remote Desktop Services session" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Allow admin to install from Remote Desktop Services session HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-10446-3The "Allow administrators to override Device Installation Restriction policies" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Allow administrators to override Device Installation Restriction policies HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-11674-9pThe "Allow Applications to Prevent Automatic Sleep (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Applications to Prevent Automatic Sleep (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2 CCE-11835-6pThe "Allow Applications to Prevent Automatic Sleep (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Applications to Prevent Automatic Sleep (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2 CCE-12885-0The "Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11359-7`The "Allow audio and video playback redirection" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow audio and video playback redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11228-4WThe "Allow audio recording redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow audio recording redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11381-1`The "Allow automatic configuration of listeners" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow automatic configuration of listeners HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-10584-1pThe "Allow Automatic Sleep with Open Network Files (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sle< ep Settings\Allow Automatic Sleep with Open Network Files (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d CCE-11514-7pThe "Allow Automatic Sleep with Open Network Files (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Automatic Sleep with Open Network Files (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d CCE-11537-8dThe "Allow Automatic Updates immediate installation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Allow Automatic Updates immediate installation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-10454-7Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow Basic authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-11131-0Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow Basic authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-11216-9LThe "Allow BITS Peercaching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11906-5yThe "Allow certificates with no extended key usage certificate attribute" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11539-4|The "Allow Corporate redirection of Customer Experience Improvement uploads" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Customer Experience Improvement Program\Allow Corporate redirection of Customer Experience Improvement uploads HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient CCE-12032-9Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-11306-8Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow CredSSP authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-13723-2nThe "Allow Cross-Forest User Policy and Roaming User Profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming User Profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11972-7rThe "Allow cryptography algorithms compatible with Windows NT 4.0" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Allow cryptography algorithms compatible with Windows NT 4.0 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-10397-8ZThe "Allow Delegating Default Credentials" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Default Credentials HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-10648-4The "Allow Delegating Default Credentials with NTLM-only Server Authentication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Default Credentials with NTLM-only Server Authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-11223-5XThe "Allow Delegating Fresh Credentials" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-10968-6}The "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials with NTLM-only Server Authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-10440-6XThe "Allow Delegating Saved Credentials" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Saved Credentials HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-12094-9}The "Allow Delegating Saved Credentials with NTLM-only Server Authentication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Saved Credentials with NTLM-only Server Authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-12042-8kThe "Allow desktop composition for remote desktop sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Allow desktop composition for remote desktop sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11379-5xThe "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11188-0cThe "Allow domain users to log on using biometrics" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Biometrics\Allow domain users to log on using biometrics HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider CCE-11455-3tThe "Allow ECC certificates to be used for logon and authentication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow ECC certificates to be used for logon and authentication HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-10612-0UThe "Allow enhanced PINs for startup" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-10532-0eThe "Allow Enhanced Storage certificate provisioning" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Allow Enhanced Storage certificate provisioning HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices CCE-10675-7vThe "Allow installation of devices that match any of these device IDs" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Allow installation of devices that match any of these device IDs HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-11822-4The "Allow installation of devices using drivers that match these device setup classes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Allow installation of devices using drivers< that match these device setup classes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-11250-8zThe "Allow Integrated Unblock screen to be displayed at the time of logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow Integrated Unblock screen to be displayed at the time of logon HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11201-1fThe "Allow local activation security check exemptions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Distributed COM\Application Compatibility Settings\Allow local activation security check exemptions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat CCE-11330-8jThe "Allow logon scripts when NetBIOS or WINS is disabled" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Allow logon scripts when NetBIOS or WINS is disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-12004-8The "Allow non-administrators to install drivers for these device setup classes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions CCE-10383-8nThe "Allow non-administrators to receive update notifications" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Allow non-administrators to receive update notifications HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate CCE-10946-2NThe "Allow only system backup" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Server\Allow only system backup HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server CCE-11081-7pThe "Allow only USB root hub connected Enhanced Storage devices" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Allow only USB root hub connected Enhanced Storage devices HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices CCE-11249-0[The "Allow only Vista or later connections" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Assistance\Allow only Vista or later connections HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services CCE-10947-0hThe "Allow or Disallow use of the Offline Files feature" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Allow or Disallow use of the Offline Files feature HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-11912-3fThe "Allow Print Spooler to accept client connections" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Allow Print Spooler to accept client connections HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11104-7TThe "Allow printers to be published" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Allow printers to be published HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11704-4YThe "Allow pruning of published printers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Allow pruning of published printers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11248-2hThe "Allow remote access to the Plug and Play interface" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Allow remote access to the Plug and Play interface HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-11860-4OThe "Allow Remote Shell Access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Allow Remote Shell Access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-12066-7]The "Allow remote start of unlisted programs" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow remote start of unlisted programs HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11784-6^The "Allow restore of system to default state" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Recovery\Allow restore of system to default state HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE CCE-11398-5ZThe "Allow signature keys valid for Logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow signature keys valid for Logon HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11428-0}The "Allow signed updates from an intranet Microsoft update service location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Allow signed updates from an intranet Microsoft update service location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate CCE-11837-2mThe "Allow Standby States (S1-S3) When Sleeping (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Standby States (S1-S3) When Sleeping (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab CCE-11714-3mThe "Allow Standby States (S1-S3) When Sleeping (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Standby States (S1-S3) When Sleeping (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab CCE-10854-8The "Allow the Network Access Protection client to support the 802.1x Enforcement Client component" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Network Access Protection\Allow the Network Access Protection client to support the 802.1x Enforcement Client component HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Qecs\79620 CCE-11545-1QThe "Allow the use of biometrics" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Biometrics\Allow the use of biometrics HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics CCE-11213-6UThe "Allow time invalid certificates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow time invalid certificates HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11427-2QThe "Allow time zone redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11954-5Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow unencrypted traffic HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-11290-4Computer Configuration\A< dministrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow unencrypted traffic HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-10713-6JThe "Allow user name hint" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow user name hint HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11867-9sThe "Allow users to connect remotely using Remote Desktop Services" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely using Remote Desktop Services HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-10455-4\The "Allow users to log on using biometrics" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Biometrics\Allow users to log on using biometrics HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider CCE-12401-6]The "Always install with elevated privileges" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11299-5`The "Always prompt for password upon connection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Always prompt for password upon connection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11478-5\The "Always render print jobs on the server" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Always render print jobs on the server HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11015-5WThe "Always show desktop on connection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Always show desktop on connection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11256-5NThe "Always use classic logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Always use classic logon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11499-1XThe "Always use custom logon background" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Always use custom logon background HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-12164-0oThe "Always wait for the network at computer startup and logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon CCE-11166-6UThe "Apply policy to removable media" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk Quotas\Apply policy to removable media HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DiskQuota CCE-11594-9gThe "Apply the default user logon picture to all users" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Control Panel\User Accounts\Apply the default user logon picture to all users HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11433-0fThe "Approved Installation Sites for ActiveX Controls" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AxInstaller CCE-11133-6WThe "Assign a default domain for logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Assign a default domain for logon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11511-3oThe "Automated Site Coverage by the DC Locator DNS SRV Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Automated Site Coverage by the DC Locator DNS SRV Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11039-5LThe "Automatic reconnection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Automatic reconnection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11761-4[The "Automatic Updates detection frequency" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11237-5The "Background upload of a roaming user profile's registry file while user is logged on" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Background upload of a roaming user profile's registry file while user is logged on HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11890-1Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Backup log automatically when full HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application CCE-11400-9Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Backup log automatically when full HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security CCE-11138-5Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Backup log automatically when full HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup CCE-12204-4Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Backup log automatically when full HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System CCE-11345-6VThe "Baseline file cache maximum size" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Baseline file cache maximum size HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-12036-0Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets\Best effort service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming CCE-11663-2Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets\Best effort service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming CCE-10975-1Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value\Best effort service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping CCE-11092-4hThe "Cache transforms in secure location on workstation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Cache transforms in secure location on workstation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-12092-3UThe "CD and DVD: Deny execute access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Sy< stem\Removable Storage Access\CD and DVD: Deny execute access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} CCE-11847-1RThe "CD and DVD: Deny read access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\CD and DVD: Deny read access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} CCE-10724-3SThe "CD and DVD: Deny write access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\CD and DVD: Deny write access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} CCE-10771-4eThe "Check for New Signatures Before Scheduled Scans" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Check for New Signatures Before Scheduled Scans HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan CCE-11185-6KThe "Check published state" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Check published state HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11423-1aThe "Choose default folder for recovery password" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose default folder for recovery password HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE CCE-11829-9hThe "Choose drive encryption method and cipher strength" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE CCE-11273-0rThe "Choose how BitLocker-protected fixed drives can be recovered" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE CCE-12060-0}The "Choose how BitLocker-protected operating system drives can be recovered" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE CCE-11973-5vThe "Choose how BitLocker-protected removable drives can be recovered" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Choose how BitLocker-protected removable drives can be recovered HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE CCE-10583-3AThe "Communities" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\SNMP\Communities HKEY_LOCAL_MACHINE\Software\Policies\SNMP\Parameters\ValidCommunities CCE-11177-3GThe "Computer location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Computer location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11242-5rThe "Configuration of wireless settings using Windows Connect Now" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars CCE-11287-0kThe "Configure Applications preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Applications preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{F9C77450-3A41-477E-9310-9ACD617BD9E3} CCE-10749-0QThe "Configure Automatic Updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-10511-4OThe "Configure Background Sync" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Configure Background Sync HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-11275-5]The "Configure BranchCache for network files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\BranchCache\Configure BranchCache for network files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-10483-6aThe "Configure Corporate Windows Error Reporting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Advanced Error Reporting Settings\Configure Corporate Windows Error Reporting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-10485-1`The "Configure Corrupted File Recovery Behavior" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Corrupted File Recovery\Configure Corrupted File Recovery Behavior HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{8519d925-541e-4a2b-8b1e-8059d16082f2} CCE-11321-7kThe "Configure Data Sources preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Data Sources preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{728EE579-943C-4519-9EF7-AB56765798ED} CCE-11575-8OThe "Configure Default consent" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Consent\Configure Default consent HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent CCE-12057-6\The "Configure device installation time-out" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Configure device installation time-out HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-14026-9fThe "Configure Devices preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Devices preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{1A6364EB-776B-4120-ADE1-B63A406A76B5} CCE-11527-9iThe "Configure Drive Maps preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Drive Maps preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{5794DAFD-BE60-433f-88A2-1A31939AC01F} CCE-12910-6jThe "Configure Environment preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Environment preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{0E28E245-9368-4853-AD84-6DA3BA35BB75} CCE-12822-3dThe "Configure Files preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Files preference logging and tracing HKEY_LOCA< L_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} CCE-12974-2mThe "Configure Folder Options preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Folder Options preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{A3F3E39B-5D83-4940-B954-28315B82F0A8} CCE-11935-4fThe "Configure Folders preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Folders preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{6232C319-91AC-4931-9385-E70C2B099F0E} CCE-12948-6hThe "Configure Ini Files preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Ini Files preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{74EE6C03-5363-4554-B161-627540339CAB} CCE-11522-0pThe "Configure Internet Settings preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Internet Settings preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0} CCE-11194-8^The "Configure keep-alive connection interval" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Configure keep-alive connection interval HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11418-1xThe "Configure list of Enhanced Storage devices usable on your computer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Configure list of Enhanced Storage devices usable on your computer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices CCE-10797-9oThe "Configure list of IEEE 1667 silos usable on your computer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Configure list of IEEE 1667 silos usable on your computer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedSilos CCE-12051-9uThe "Configure Local Users and Groups preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Local Users and Groups preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{17D89FEC-5C44-4972-B12D-241CAEF74509} CCE-11638-4ZThe "Configure Microsoft SpyNet Reporting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft SpyNet Reporting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet CCE-11332-4^The "Configure minimum PIN length for startup" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure minimum PIN length for startup HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-11305-0dThe "Configure MSI Corrupted File Recovery Behavior" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery\Configure MSI Corrupted File Recovery Behavior HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{54077489-683b-4762-86c8-02cf87a33423} CCE-11144-3nThe "Configure Network Options preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Network Options preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} CCE-13026-0mThe "Configure Network Shares preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Network Shares preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} CCE-11881-0lThe "Configure Power Options preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Power Options preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} CCE-12806-6gThe "Configure Printers preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Printers preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} CCE-10563-5^The "Configure RD Connection Broker farm name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Configure RD Connection Broker farm name HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11132-8`The "Configure RD Connection Broker server name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Configure RD Connection Broker server name HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12147-5oThe "Configure Regional Options preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Regional Options preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{E5094040-C46C-4115-B030-04FB2E545B00} CCE-13691-1gThe "Configure Registry preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Registry preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{B087BE9D-ED37-454f-AF9C-04291E351182} CCE-11971-9YThe "Configure Reliability WMI Providers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Reliability Analysis\Configure Reliability WMI Providers HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Reliability Analysis\WMI CCE-11962-8NThe "Configure Report Archive" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Advanced Error Reporting Settings\Configure Report Archive HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-11861-2LThe "Configure Report Queue" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Advanced Error Reporting Settings\Configure Report Queue HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-11646-7YThe "Configure root certificate clean up" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Wi< ndows Components\Smart Card\Configure root certificate clean up HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp CCE-12038-6Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Fault Tolerant Heap\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a} CCE-11210-2Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8} CCE-11484-3Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Memory Leak Diagnosis\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{eb73b633-3f4e-4ba0-8f60-8f3c6f53168f} CCE-10616-1Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{3af8b24a-c441-4fa4-8c5c-bed591bfa867} CCE-10626-0Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B} CCE-11054-4 Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4} CCE-11966-9Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics\Configure Scenario Execution Level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51} CCE-13753-9nThe "Configure Scheduled Tasks preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Scheduled Tasks preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{AADCED64-746C-4633-A97C-D61349046527} CCE-11106-2hThe "Configure Security Policy for Scripted Diagnostics" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\Configure Security Policy for Scripted Diagnostics HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics CCE-11494-2Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Configure server authentication for client HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12116-0gThe "Configure Services preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Services preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{91FBB303-0CD5-4055-BF42-E512A681B325} CCE-14699-3hThe "Configure Shortcuts preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Shortcuts preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} CCE-12002-2NThe "Configure slow-link mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-12226-7iThe "Configure Start Menu preference logging and tracing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Logging and tracing\Configure Start Menu preference logging and tracing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} CCE-10870-4`The "Configure the list of blocked TPM commands" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Configure the list of blocked TPM commands HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands CCE-10994-2gThe "Configure the refresh interval for Server Manager" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Server Manager\Configure the refresh interval for Server Manager HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Server\ServerManager CCE-11673-1The "Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager" machine setting should be configured correctly.)Computer Configuration\Administrative Templates\Windows Components\Event Forwarding\Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager CCE-11809-1_The "Configure TPM platform validation profile" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure TPM platform validation profile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation CCE-12237-4fThe "Configure use of passwords for fixed data drives" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of passwords for fixed data drives HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-10422-4jThe "Configure use of passwords for removable data drives" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of passwords for removable data drives HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-11239-1gThe "Configure use of smart cards on fixed data drives" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of smart cards on fixed data drives HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-12336-4kThe "Configure use of smart cards on removable data drives" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of smart cards on removable data drives HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-11856-2RThe "Configure Windows NTP Client" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient CCE-11328-2RThe "Contact PDC on logon failure" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Contact PDC on logon failure HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11377-9bThe "Control use of BitLocker on removable drives" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Control use of BitLocker on removable drives HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-10558-5Computer Configuration\Administrative Templates\Network\QoS Packet Schedule< r\DSCP value of conforming packets\Controlled load service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming CCE-11393-6Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets\Controlled load service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming CCE-10315-0Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value\Controlled load service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping CCE-11399-3VThe "Corporate DNS Probe Host Address" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connectivity Status Indicator\Corporate DNS Probe Host Address HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity CCE-10891-0SThe "Corporate DNS Probe Host Name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connectivity Status Indicator\Corporate DNS Probe Host Name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity CCE-11600-4PThe "Corporate Site Prefix List" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connectivity Status Indicator\Corporate Site Prefix List HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity CCE-12005-5QThe "Corporate Website Probe URL" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connectivity Status Indicator\Corporate Website Probe URL HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity CCE-11279-7ZThe "Critical Battery Notification Action" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Notification Settings\Critical Battery Notification Action HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\637EA02F-BBCB-4015-8E2C-A1C7B9C0B546 CCE-11438-9YThe "Critical Battery Notification Level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Notification Settings\Critical Battery Notification Level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\9A66D8D7-4FF7-4EF9-B5A2-5A326CA2A469 CCE-11370-4VThe "Custom Classes: Deny read access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Custom Classes: Deny read access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read CCE-10718-5WThe "Custom Classes: Deny write access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Custom Classes: Deny write access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write CCE-11703-6PThe "Customize consent settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Consent\Customize consent settings HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent CCE-11554-3PThe "Customize Warning Messages" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Assistance\Customize Warning Messages HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services CCE-11083-3fThe "DC Locator DNS records not registered by the DCs" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\DC Locator DNS records not registered by the DCs HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11431-4RThe "Default behavior for AutoRun" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Default behavior for AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11601-2[The "Default quota limit and warning level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk Quotas\Default quota limit and warning level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DiskQuota CCE-11718-4aThe "Define Activation Security Check exemptions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Distributed COM\Application Compatibility Settings\Define Activation Security Check exemptions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat CCE-12137-6aThe "Define host name-to-Kerberos realm mappings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Kerberos\Define host name-to-Kerberos realm mappings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos CCE-10868-8eThe "Define interoperable Kerberos V5 realm settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Kerberos\Define interoperable Kerberos V5 realm settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos CCE-11534-5_The "Delay Restart for scheduled installations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Delay Restart for scheduled installations HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11955-2^The "Delete cached copies of roaming profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Delete cached copies of roaming profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10613-8The "Delete data from devices running Microsoft firmware when a user logs off from the computer." machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows SideShow\Delete data from devices running Microsoft firmware when a user logs off from the computer. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SideShow CCE-11349-8The "Delete user profiles older than a specified number of days on system restart" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Delete user profiles older than a specified number of days on system restart HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-12399-2YThe "Deny Delegating Default Credentials" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Deny Delegating Default Credentials HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-11281-3WThe "Deny Delegating Fresh Credentials" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Deny Delegating Fresh Credentials HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-11231-8WThe "Deny Delegating Saved Credentials" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Credentials Delegation\Deny Delegating Saved Credentials HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation CCE-11615-2rThe "Deny write access to fixed drives not protected by BitLocker" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encr< yption\Fixed Data Drives\Deny write access to fixed drives not protected by BitLocker HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE CCE-11142-7vThe "Deny write access to removable drives not protected by BitLocker" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE CCE-11234-2rThe "Detect application failures caused by deprecated COM objects" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\Detect application failures caused by deprecated COM objects HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{88D69CE1-577A-4dd9-87AE-AD36D3CD9643} CCE-11688-9sThe "Detect application failures caused by deprecated Windows DLLs" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\Detect application failures caused by deprecated Windows DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{659F08FB-2FAB-42a7-BD4F-566CFA528769} CCE-10784-7YThe "Detect application install failures" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\Detect application install failures HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{acfd1ca6-18b6-4ccf-9c07-580cdb6eded4} CCE-10569-2xThe "Detect application installers that need to be run as administrator" machine setting should be configured correctly.!Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\Detect application installers that need to be run as administrator HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{D113E4AA-2D07-41b1-8D9B-C065194A791D} CCE-11885-1oThe "Detect applications unable to launch installers under UAC" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\Detect applications unable to launch installers under UAC HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{081D3213-48AA-4533-9284-D98F01BDC8E6} CCE-11241-7eThe "Diagnostics: Configure scenario execution level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Diagnostics: Configure scenario execution level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI CCE-11611-1_The "Diagnostics: Configure scenario retention" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Diagnostics: Configure scenario retention HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI CCE-12047-7PThe "Directory pruning interval" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Directory pruning interval HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11129-4PThe "Directory pruning priority" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Directory pruning priority HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-10477-8MThe "Directory pruning retry" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Directory pruning retry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11705-1The "Disable binding directly to IPropertySetStorage without intermediate layers." machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Disable binding directly to IPropertySetStorage without intermediate layers. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11824-0aThe "Disable delete notifications on all volumes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Filesystem\Disable delete notifications on all volumes HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies CCE-10343-2nThe "Disable IE security prompt for Windows Installer scripts" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Disable IE security prompt for Windows Installer scripts HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11621-0EThe "Disable Logging" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-11094-0ZThe "Disable logging via package settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Disable logging via package settings HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-12332-3jThe "Disable or enable software Secure Attention Sequence" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Disable or enable software Secure Attention Sequence HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11547-7lThe "Disable password strength validation for Peer Grouping" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet CCE-11017-1TThe "Disable remote Desktop Sharing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\NetMeeting\Disable remote Desktop Sharing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Conferencing CCE-12376-0MThe "Disable text prediction" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\Disable text prediction HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-11708-5UThe "Disable Windows Error Reporting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-10972-8OThe "Disable Windows Installer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Disable Windows Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-10899-3^The "Disallow changing of geographic location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Locale Services\Disallow changing of geographic location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International CCE-12266-3TThe "Disallow Digest authentication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Disallow Digest authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-12168-1}The "Disallow Interactive Users from generating Resultant Set of Policy data" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Disallow Interactive Users from generating Resultant Set of Policy data HKEY_L< OCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11697-0Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Disallow Kerberos authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-11149-2Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Disallow Kerberos authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-11497-5hThe "Disallow locally attached storage as backup target" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Server\Disallow locally attached storage as backup target HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server CCE-11756-4Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Disallow Negotiate authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-12295-2Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Disallow Negotiate authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-11908-1WThe "Disallow network as backup target" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Server\Disallow network as backup target HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server CCE-11797-8]The "Disallow optical media as backup target" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Server\Disallow optical media as backup target HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server CCE-11681-4OThe "Disallow run-once backups" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Server\Disallow run-once backups HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server CCE-11327-4ZThe "Disallow selection of Custom Locales" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Locale Services\Disallow selection of Custom Locales HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International CCE-11420-7_The "Disallow user override of locale settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Locale Services\Disallow user override of locale settings HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International CCE-12166-5bThe "Disk Diagnostic: Configure custom alert text" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Disk Diagnostic\Disk Diagnostic: Configure custom alert text HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD} CCE-11922-2`The "Disk Diagnostic: Configure execution level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Disk Diagnostic\Disk Diagnostic: Configure execution level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD} CCE-12073-3RThe "Disk Quota policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Disk Quota policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} CCE-11125-2The "Display a custom message title when device installation is prevented by a policy setting" machine setting should be configured correctly.#Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Display a custom message title when device installation is prevented by a policy setting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy CCE-12020-4The "Display a custom message when installation is prevented by a policy setting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Display a custom message when installation is prevented by a policy setting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy CCE-11410-8qThe "Display information about previous logons during user logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Display information about previous logons during user logon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11444-7TThe "Display Shutdown Event Tracker" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Display Shutdown Event Tracker HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Reliability CCE-11362-1_The "Display string when smart card is blocked" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Display string when smart card is blocked HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11834-9LThe "DNS Suffix Search List" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\DNS Suffix Search List HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11341-5The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11785-3nThe "Do not allow adding new targets via manual configuration" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Target Discovery\Do not allow adding new targets via manual configuration HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-10996-7\The "Do not allow additional session logins" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\General iSCSI\Do not allow additional session logins HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11127-8cThe "Do not allow changes to initiator CHAP secret" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Security\Do not allow changes to initiator CHAP secret HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11285-4`The "Do not allow changes to initiator iqn name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\General iSCSI\Do not allow changes to initiator iqn name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-12056-8]The "Do not allow client printer redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Do not allow client printer redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11303-5XThe "Do not allow clipboard redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow clipboard redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Se< rvices CCE-11448-8PThe "Do not allow color changes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager\Window Frame Coloring\Do not allow color changes HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DWM CCE-10600-5WThe "Do not allow COM port redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow COM port redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11425-6bThe "Do not allow compression on all NTFS volumes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Filesystem\NTFS\Do not allow compression on all NTFS volumes HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies CCE-11277-1\The "Do not allow connections without IPSec" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Security\Do not allow connections without IPSec HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11352-2VThe "Do not allow desktop composition" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager\Do not allow desktop composition HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DWM CCE-11098-1XThe "Do not allow Digital Locker to run" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Digital Locker\Do not allow Digital Locker to run HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Digital Locker CCE-11709-3TThe "Do not allow drive redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11284-7aThe "Do not allow encryption on all NTFS volumes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Filesystem\NTFS\Do not allow encryption on all NTFS volumes HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies CCE-10353-1TThe "Do not allow Flip3D invocation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager\Do not allow Flip3D invocation HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DWM CCE-11664-0QThe "Do not allow font smoothing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Do not allow font smoothing HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12159-0pThe "Do not allow local administrators to customize permissions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Do not allow local administrators to customize permissions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11623-6WThe "Do not allow LPT port redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow LPT port redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12170-7mThe "Do not allow manual configuration of discovered targets" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Target Discovery\Do not allow manual configuration of discovered targets HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11852-1gThe "Do not allow manual configuration of iSNS servers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Target Discovery\Do not allow manual configuration of iSNS servers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-12045-1iThe "Do not allow manual configuration of target portals" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Target Discovery\Do not allow manual configuration of target portals HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11316-7iThe "Do not allow non-Enhanced Storage removable devices" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Do not allow non-Enhanced Storage removable devices HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices CCE-12040-2vThe "Do not allow password authentication of Enhanced Storage devices" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Do not allow password authentication of Enhanced Storage devices HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices CCE-11905-7XThe "Do not allow passwords to be saved" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11531-1bThe "Do not allow printing to Journal Note Writer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Accessories\Do not allow printing to Journal Note Writer HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11232-6_The "Do not allow sessions without mutual CHAP" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Security\Do not allow sessions without mutual CHAP HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11486-8`The "Do not allow sessions without one way CHAP" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\iSCSI\iSCSI Security\Do not allow sessions without one way CHAP HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\iSCSI CCE-11517-0`The "Do not allow smart card device redirection" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card device redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11390-2WThe "Do not allow Snipping Tool to run" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Accessories\Do not allow Snipping Tool to run HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11387-8XThe "Do not allow Sound Recorder to run" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Sound Recorder\Do not allow Sound Recorder to run HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SoundRecorder CCE-11128-6mThe "Do not allow supported Plug and Play device redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow supported Plug and Play device redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11991-7nThe "Do not allow the BITS client to use Windows Branch Cache" machine setting sh< ould be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Do not allow the BITS client to use Windows Branch Cache HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11353-0sThe "Do not allow the computer to act as a BITS Peercaching client" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Do not allow the computer to act as a BITS Peercaching client HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11870-3sThe "Do not allow the computer to act as a BITS Peercaching server" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Do not allow the computer to act as a BITS Peercaching server HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-10861-3TThe "Do not allow window animations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager\Do not allow window animations HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DWM CCE-11342-3\The "Do not allow Windows Journal to be run" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Accessories\Do not allow Windows Journal to be run HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-12192-1^The "Do not allow Windows Media Center to run" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Center\Do not allow Windows Media Center to run HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaCenter CCE-10872-0^The "Do not allow Windows Messenger to be run" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Messenger\Do not allow Windows Messenger to be run HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client CCE-11794-5sThe "Do not automatically encrypt files moved to encrypted folders" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Do not automatically encrypt files moved to encrypted folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-10773-0lThe "Do not automatically start Windows Messenger initially" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Messenger\Do not automatically start Windows Messenger initially HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client CCE-11172-4pThe "Do not check for user ownership of Roaming Profile Folders" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Do not check for user ownership of Roaming Profile Folders HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-12046-9YThe "Do not delete temp folder upon exit" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders\Do not delete temp folder upon exit HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11898-4\The "Do not detect slow network connections" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Do not detect slow network connections HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10819-1~The "Do not display Initial Configuration Tasks window automatically at logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Server Manager\Do not display Initial Configuration Tasks window automatically at logon HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Server\InitialConfigurationTasks CCE-10299-6The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11872-9eThe "Do not display Manage Your Server page at logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Do not display Manage Your Server page at logon HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS CCE-11282-1jThe "Do not display Server Manager automatically at logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Server Manager\Do not display Server Manager automatically at logon HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Server\ServerManager CCE-11603-8pThe "Do not forcefully unload the users registry at user logoff" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Do not forcefully unload the users registry at user logoff HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10837-3aThe "Do not log users on with temporary profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Do not log users on with temporary profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10320-0The "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11245-8XThe "Do not process the legacy run list" machine setting should be configured correctly.sComputer Configuration\Administrative Templates\System\Logon\Do not process the legacy run list HKEY_LOCAL_MACHINE\ CCE-11992-5VThe "Do not process the run once list" machine setting should be configured correctly.qComputer Configuration\Administrative Templates\System\Logon\Do not process the run once list HKEY_LOCAL_MACHINE\ CCE-12274-7The "Do not send a Windows error report when a generic driver is installed on a device" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-11584-0QThe "Do not send additional data" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-10572-6zThe "Do not set default client printer to be default printer in a session" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Do not set default client printer to be default printer in a session HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11596-4XThe "Do Not Show First Use Dialog Boxes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer CCE-10355-6fThe "Do not show the "local access only" network icon" machine setting should be configured correctly.Computer Configurati< on\Administrative Templates\Network\Network Connections\Do not show the "local access only" network icon HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections CCE-10806-8The "Do not turn off system power after a Windows system shutdown has occurred." machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Do not turn off system power after a Windows system shutdown has occurred. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT CCE-11178-1The "Do not use Remote Desktop Session Host server IP address when virtual IP address is not available" machine setting should be configured correctly.QComputer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Do not use Remote Desktop Session Host server IP address when virtual IP address is not available HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP CCE-10669-0^The "Do not use temporary folders per session" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders\Do not use temporary folders per session HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11849-7]The "Domain Controller Address Type Returned" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Domain Controller Address Type Returned HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-10842-3WThe "Domain Location Determination URL" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connectivity Status Indicator\Domain Location Determination URL HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity CCE-11913-1[The "Don't set the always do this checkbox" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Don't set the always do this checkbox HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11217-7UThe "Download missing COM components" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Download missing COM components HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\App Management CCE-11318-3hThe "Dynamic Registration of the DC Locator DNS Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Dynamic Registration of the DC Locator DNS Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11209-4DThe "Dynamic Update" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Dynamic Update HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11058-5TThe "EFS recovery policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\EFS recovery policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} CCE-11917-2RThe "Enable client-side targeting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Enable client-side targeting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate CCE-11198-9HThe "Enable disk quotas" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk Quotas\Enable disk quotas HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DiskQuota CCE-10568-4UThe "Enable NTFS pagefile encryption" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Filesystem\NTFS\Enable NTFS pagefile encryption HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies CCE-11261-5RThe "Enable Persistent Time Stamp" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enable Persistent Time Stamp HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Reliability CCE-11369-6PThe "Enable Transparent Caching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Enable Transparent Caching HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-10906-6WThe "Enable user control over installs" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enable user control over installs HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-10866-2eThe "Enable user to browse for source while elevated" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enable user to browse for source while elevated HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-10965-2\The "Enable user to patch elevated products" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enable user to patch elevated products HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11844-8dThe "Enable user to use media source while elevated" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enable user to use media source while elevated HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11057-7OThe "Enable Windows NTP Client" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient CCE-11873-7OThe "Enable Windows NTP Server" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Server HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer CCE-11889-3NThe "Enable/Disable PerfTrack" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Performance PerfTrack\Enable/Disable PerfTrack HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} CCE-11088-2The "Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-10894-4UThe "Encrypt the Offline Files cache" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Encrypt the Offline Files cache HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-11593-1NThe "Enforce disk quota limit" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk Quotas\Enforce disk quota limit HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DiskQuota CCE-12058-4aThe "Enforce Removal of Remote Desktop Wallpaper" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Enforce Removal of Remote Desktop Wallpaper HKEY_LOCAL_< MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11434-8UThe "Enforce upgrade component rules" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enforce upgrade component rules HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11450-4cThe "Enumerate administrator accounts on elevation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI CCE-11746-5HThe "Events.asp program" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Event Viewer\Events.asp program HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer CCE-11152-6`The "Events.asp program command line parameters" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Event Viewer\Events.asp program command line parameters HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer CCE-11964-4DThe "Events.asp URL" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Event Viewer\Events.asp URL HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer CCE-11460-3RThe "Exclude credential providers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Exclude credential providers HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11137-7UThe "Exclude files from being cached" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Exclude files from being cached HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-10864-7aThe "Execute print drivers in isolated processes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Execute print drivers in isolated processes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-10624-5UThe "Expected dial-up delay on logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Expected dial-up delay on logon HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11976-8pThe "Extend Point and Print connection to search Windows Update" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Extend Point and Print connection to search Windows Update HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11075-9YThe "Filter duplicate logon certificates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Filter duplicate logon certificates HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-10973-6mThe "Final DC Discovery Retry Setting for Background Callers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Final DC Discovery Retry Setting for Background Callers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-12010-5XThe "Floppy Drives: Deny execute access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Floppy Drives: Deny execute access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} CCE-11411-6UThe "Floppy Drives: Deny read access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Floppy Drives: Deny read access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} CCE-12142-6VThe "Floppy Drives: Deny write access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Floppy Drives: Deny write access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} CCE-12115-2ZThe "Folder Redirection policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Folder Redirection policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080861} CCE-11643-4kThe "For tablet pen input, don t show the Input Panel icon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\For tablet pen input, don t show the Input Panel icon HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-11322-5fThe "For touch input, don t show the Input Panel icon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\For touch input, don t show the Input Panel icon HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-11821-6PThe "Force Rediscovery Interval" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Force Rediscovery Interval HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11180-7yThe "Force selected system UI language to overwrite the user UI language" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Force selected system UI language to overwrite the user UI language HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings CCE-11297-9oThe "Force the reading of all certificates from the smart card" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Force the reading of all certificates from the smart card HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11402-5LThe "ForwarderResourceUsage" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Event Forwarding\ForwarderResourceUsage HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding CCE-11543-6SThe "Global Configuration Settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32Time\Config CCE-11995-8aThe "Group Policy refresh interval for computers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Group Policy refresh interval for computers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11520-4jThe "Group Policy refresh interval for domain controllers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Group Policy refresh interval for domain controllers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sy< stem CCE-12121-0VThe "Group Policy slow link detection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Group Policy slow link detection HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10863-9Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets\Guaranteed service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming CCE-11634-3Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets\Guaranteed service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming CCE-11269-8Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value\Guaranteed service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping CCE-11440-5VThe "Hash Publication for BranchCache" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Lanman Server\Hash Publication for BranchCache HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanServer CCE-11848-9_The "Hide entry points for Fast User Switching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Hide entry points for Fast User Switching HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11401-7The "Hide notifications about RD Licensing problems that affect the RD Session Host server" machine setting should be configured correctly."Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing\Hide notifications about RD Licensing problems that affect the RD Session Host server HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11778-8aThe "Hide previous versions list for local files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Previous Versions\Hide previous versions list for local files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PreviousVersions CCE-10846-4bThe "Hide previous versions list for remote files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Previous Versions\Hide previous versions list for remote files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PreviousVersions CCE-12067-5hThe "Hide previous versions of files on backup location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Previous Versions\Hide previous versions of files on backup location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PreviousVersions CCE-12120-2TThe "Ignore custom consent settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Consent\Ignore custom consent settings HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent CCE-10660-9OThe "Ignore Delegation Failure" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Procedure Call\Ignore Delegation Failure HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc CCE-11998-2eThe "Ignore the default list of blocked TPM commands" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Ignore the default list of blocked TPM commands HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM\BlockedCommands CCE-11491-8cThe "Ignore the local list of blocked TPM commands" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Ignore the local list of blocked TPM commands HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM\BlockedCommands CCE-11008-0mThe "Include rarely used Chinese, Kanji, or Hanja characters" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\Include rarely used Chinese, Kanji, or Hanja characters HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-10703-7oThe "Initial DC Discovery Retry Setting for Background Callers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Initial DC Discovery Retry Setting for Background Callers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-12085-7eThe "Internet Explorer Maintenance policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} CCE-11110-4SThe "IP Security policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\IP Security policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e27} CCE-10832-4DThe "IP-HTTPS State" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\IP-HTTPS State HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface CCE-10712-8HThe "ISATAP Router Name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP Router Name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11141-9BThe "ISATAP State" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP State HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-12215-0OThe "Join RD Connection Broker" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Join RD Connection Broker HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11344-9yThe "Leave Windows Installer and Group Policy Software Installation Data" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Leave Windows Installer and Group Policy Software Installation Data HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11656-6SThe "License server security group" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Licensing\License server security group HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services CCE-11473-6RThe "Limit audio playback quality" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Limit audio playback quality HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11266-4\The "Limit disk space used by offline files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Limit disk space used by offline files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-11464-5OThe "Limit maximum color depth" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Se< ssion Host\Remote Session Environment\Limit maximum color depth HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11769-7VThe "Limit maximum display resolution" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Limit maximum display resolution HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11147-6VThe "Limit maximum number of monitors" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Limit maximum number of monitors HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11047-8QThe "Limit number of connections" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12043-6OThe "Limit outstanding packets" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Limit outstanding packets HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched CCE-11864-6PThe "Limit reservable bandwidth" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Limit reservable bandwidth HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched CCE-11726-7bThe "Limit the age of files in the BITS Peercache" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11710-1SThe "Limit the BITS Peercache size" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-12104-6^The "Limit the maximum BITS job download time" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the maximum BITS job download time HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11752-3nThe "Limit the maximum network bandwidth used for Peercaching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth used for Peercaching HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11570-9iThe "Limit the maximum number of BITS jobs for each user" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the maximum number of BITS jobs for each user HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11407-4mThe "Limit the maximum number of BITS jobs for this computer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the maximum number of BITS jobs for this computer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11707-7mThe "Limit the maximum number of files allowed in a BITS job" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the maximum number of files allowed in a BITS job HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-10702-9The "Limit the maximum number of ranges that can be added to the file in a BITS job" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Limit the maximum number of ranges that can be added to the file in a BITS job HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS CCE-11445-4mThe "Limit the size of the entire roaming user profile cache" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles\Limit the size of the entire roaming user profile cache HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11900-8YThe "List of applications to be excluded" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Advanced Error Reporting Settings\List of applications to be excluded HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications CCE-11988-3uThe "Location of the DCs hosting a domain with single label DNS name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Location of the DCs hosting a domain with single label DNS name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11314-2gThe "Lock Enhanced Storage when the computer is locked" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Enhanced Storage Access\Lock Enhanced Storage when the computer is locked HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EnhancedStorageDevices CCE-11219-3Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Log Access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application CCE-11690-5Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Log Access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security CCE-10679-9Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Log Access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup CCE-11712-7Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Log Access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System CCE-12246-5XThe "Log directory pruning retry events" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Log directory pruning retry events HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11581-6YThe "Log event when quota limit exceeded" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk Quotas\Log event when quota limit exceeded HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DiskQuota CCE-11394-4aThe "Log event when quota warning level exceeded" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk Quotas\Log event when quota warning level exceeded HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DiskQuota CCE-10639-3QThe "Log File Debug Output Level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Log File Debug Output Level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11883-6Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Log File Path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application CCE-10421-6Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Log File Path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security CCE-12180-6Computer Configuration\Administrative Templates\Windows Com< ponents\Event Log Service\Setup\Log File Path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup CCE-11441-3Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Log File Path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System CCE-12018-8=The "Logging" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Logging HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11469-4UThe "Low Battery Notification Action" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Notification Settings\Low Battery Notification Action HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06 CCE-11930-5TThe "Low Battery Notification Level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Notification Settings\Low Battery Notification Level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\8183ba9a-e910-48da-8769-14ae6dc1170a CCE-11620-2nThe "Make Parental Controls control panel visible on a Domain" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Parental Controls\Make Parental Controls control panel visible on a Domain HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ParentalControls CCE-11009-8HThe "MaxConcurrentUsers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\MaxConcurrentUsers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-11105-4xThe "Maximum DC Discovery Retry Interval Setting for Background Callers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Maximum DC Discovery Retry Interval Setting for Background Callers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11115-3KThe "Maximum Log File Size" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Maximum Log File Size HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11143-5Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Maximum Log Size (KB) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application CCE-11033-8Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Maximum Log Size (KB) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security CCE-11717-6Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup CCE-11174-0Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Maximum Log Size (KB) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System CCE-11840-6`The "Maximum wait time for Group Policy scripts" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Maximum wait time for Group Policy scripts HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-12127-7rThe "Microsoft Support Diagnostic Tool: Configure execution level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Configure execution level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5} CCE-11167-4oThe "Microsoft Support Diagnostic Tool: Restrict tool download" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Restrict tool download HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5} CCE-10855-5The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" machine setting should be configured correctly.2Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy CCE-11800-0nThe "Minimum Idle Connection Timeout for RPC/HTTP connections" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Procedure Call\Minimum Idle Connection Timeout for RPC/HTTP connections HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc CCE-10474-5YThe "Negative DC Discovery Cache Setting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Negative DC Discovery Cache Setting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11413-2RThe "Netlogon share compatibility" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Netlogon share compatibility HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11573-3Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets\Network control service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming CCE-12248-1Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets\Network control service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming CCE-11947-9Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value\Network control service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping CCE-11000-7TThe "Network Projector Port Setting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Network Projector\Network Projector Port Setting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\NetworkProjector CCE-11453-8The "No auto-restart with logged on users for scheduled automatic updates installations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11857-0LThe "Non-conforming packets" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value\Non-conforming packets HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping CCE-11518-8LThe "Notify blocked drivers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\Notify blocked drivers HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{affc81e2-612a-4f70-6fb2-916ff5c7e3f8} CCE-11408-2nThe "Notify user of successful smart card driver installation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Notify user of successful smart card driver installation HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP CCE-11625-1MThe "Offer Remote Assistance" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\R< emote Assistance\Offer Remote Assistance HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services CCE-11262-3TThe "Only allow local user profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Only allow local user profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10910-8VThe "Only use Package Point and print" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Only use Package Point and print HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint CCE-11313-4vThe "Optimize visual experience for Remote Desktop Services sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Optimize visual experience for Remote Desktop Services sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11758-0The "Override print driver execution compatibility setting reported by print driver" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Override print driver execution compatibility setting reported by print driver HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11365-4TThe "Override the More Gadgets link" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Override the More Gadgets link HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar CCE-11863-8`The "Package Point and print - Approved servers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Package Point and print - Approved servers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint CCE-10945-4HThe "Permitted Managers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\SNMP\Permitted Managers HKEY_LOCAL_MACHINE\Software\Policies\SNMP\Parameters\PermittedManagers CCE-11925-5RThe "Point and Print Restrictions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint CCE-11799-4oThe "Positive Periodic DC Cache Refresh for Background Callers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Positive Periodic DC Cache Refresh for Background Callers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11005-6sThe "Positive Periodic DC Cache Refresh for Non-Background Callers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Positive Periodic DC Cache Refresh for Non-Background Callers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11487-6_The "Pre-populate printer search location text" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Pre-populate printer search location text HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11274-8[The "Prevent access to 16-bit applications" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Prevent access to 16-bit applications HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-11298-7OThe "Prevent Automatic Updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Automatic Updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer CCE-10776-3NThe "Prevent Back-ESC mapping" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Hardware Buttons\Prevent Back-ESC mapping HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-10665-8WThe "Prevent backing up to local disks" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Client\Prevent backing up to local disks HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client CCE-10508-0\The "Prevent backing up to network location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Client\Prevent backing up to network location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client CCE-11412-4bThe "Prevent backing up to optical media (CD/DVD)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Client\Prevent backing up to optical media (CD/DVD) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client CCE-10546-0The "Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-11598-0WThe "Prevent Desktop Shortcut Creation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer CCE-11589-9iThe "Prevent device metadata retrieval from the Internet" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Prevent device metadata retrieval from the Internet HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata CCE-11941-2oThe "Prevent display of the user interface for critical errors" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Prevent display of the user interface for critical errors HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CCE-11665-7DThe "Prevent flicks" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11488-4RThe "Prevent Flicks Learning Mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Pen Flicks Learning\Prevent Flicks Learning Mode HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11080-9\The "Prevent Input Panel tab from appearing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\Prevent Input Panel tab from appearing HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-11591-5|The "Prevent installation of devices not described by other policy settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices not described by other policy settings HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-11764-8xThe "Prevent installation of devices that match any of these device IDs" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of t< hese device IDs HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-10478-6The "Prevent installation of devices using drivers that match these device setup classes" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-11662-4_The "Prevent installation of removable devices" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of removable devices HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-11286-2SThe "Prevent launch an application" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Hardware Buttons\Prevent launch an application HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11392-8MThe "Prevent license upgrade" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Licensing\Prevent license upgrade HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services CCE-11090-8KThe "Prevent Media Sharing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Media Sharing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer CCE-11928-9YThe "Prevent memory overwrite on restart" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Prevent memory overwrite on restart HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-11378-7vThe "Prevent plaintext PINs from being returned by Credential Manager" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Prevent plaintext PINs from being returned by Credential Manager HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11983-4LThe "Prevent press and hold" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Hardware Buttons\Prevent press and hold HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-12108-7dThe "Prevent Quick Launch Toolbar Shortcut Creation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Quick Launch Toolbar Shortcut Creation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer CCE-11026-2_The "Prevent restoring local previous versions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Previous Versions\Prevent restoring local previous versions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PreviousVersions CCE-11323-3fThe "Prevent restoring previous versions from backups" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Previous Versions\Prevent restoring previous versions from backups HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PreviousVersions CCE-10908-2`The "Prevent restoring remote previous versions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Previous Versions\Prevent restoring remote previous versions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PreviousVersions CCE-10384-6tThe "Prevent Roaming Profile changes from propagating to the server" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Prevent Roaming Profile changes from propagating to the server HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10691-4cThe "Prevent the computer from joining a homegroup" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\HomeGroup\Prevent the computer from joining a homegroup HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup CCE-11765-5MThe "Prevent Video Smoothing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Video Smoothing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer CCE-10544-5cThe "Prevent Windows Anytime Upgrade from running." machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Anytime Upgrade\Prevent Windows Anytime Upgrade from running. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU CCE-11336-5The "Prevent Windows from sending an error report when a device driver requests additional software during installation" machine setting should be configured correctly. Computer Configuration\Administrative Templates\System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-11052-8_The "Prevent Windows Media DRM Internet Access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management\Prevent Windows Media DRM Internet Access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM CCE-11475-1HThe "Primary DNS Suffix" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Primary DNS Suffix HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient CCE-10931-4SThe "Primary DNS Suffix Devolution" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Primary DNS Suffix Devolution HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11157-5YThe "Primary DNS Suffix Devolution Level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Primary DNS Suffix Devolution Level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11383-7FThe "Printer browsing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Printer browsing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-10951-2The "Prioritize all digitally signed drivers equally during the driver ranking and selection process" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Prioritize all digitally signed drivers equally during the driver ranking and selection process HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-11072-6dThe "Priority Set in the DC Locator DNS SRV Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Priority Set in the DC Locator DNS SRV Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11155-9hThe "Prohibit Access of the Windows Connect Now wizards" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Windows Connect Now\Prohibit Access of the Windows Connect Now wizards HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI CCE-11599-8QThe "Prohibit Flyweight Patching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohi< bit Flyweight Patching HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-12074-1The "Prohibit installation and configuration of Network Bridge on your DNS domain network" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections CCE-12011-3hThe "Prohibit installing or uninstalling color profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Color System\Prohibit installing or uninstalling color profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsColorSystem CCE-11468-6uThe "Prohibit non-administrators from applying vendor signed updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit non-administrators from applying vendor signed updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11118-7GThe "Prohibit patching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit patching HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11498-3QThe "Prohibit removal of updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit removal of updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-10670-8GThe "Prohibit rollback" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit rollback HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11077-5UThe "Prohibit Use of Restart Manager" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit Use of Restart Manager HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-11711-9cThe "Prompt for credentials on the client computer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Prompt for credentials on the client computer HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11122-9lThe "Prompt user when a slow network connection is detected" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Prompt user when a slow network connection is detected HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11338-1_The "Propagation of extended error information" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Procedure Call\Propagation of extended error information HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc CCE-11564-2sThe "Provide information about previous logons to client computers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\KDC\Provide information about previous logons to client computers HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters CCE-11258-1jThe "Provide the unique identifiers for your organization" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Provide the unique identifiers for your organization HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-12150-9kThe "Prune printers that are not automatically republished" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Printers\Prune printers that are not automatically republished HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11698-8Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets\Qualitative service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming CCE-11192-2Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets\Qualitative service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming CCE-11479-3Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value\Qualitative service type HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping CCE-10977-7^The "Redirect only the default client printer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12083-2\The "Reduce Display Brightness (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Reduce Display Brightness (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee CCE-11199-7\The "Reduce Display Brightness (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Reduce Display Brightness (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee CCE-11053-6dThe "Refresh Interval of the DC Locator DNS Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Refresh Interval of the DC Locator DNS Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-10579-1nThe "Register DNS records with connection-specific DNS suffix" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Register DNS records with connection-specific DNS suffix HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11063-5JThe "Register PTR Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Register PTR Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11086-6SThe "Registration Refresh Interval" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Registration Refresh Interval HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-12754-8PThe "Registry policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} CCE-11773-9ZThe "Removable Disks: Deny execute access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny execute access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} CCE-12029-5WThe "Removable Disks: Deny read access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny read access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} CCE-10469-5XThe "Removable Disks: Deny write access" machine setting should be configured corr< ectly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} CCE-11997-4fThe "Remove "Disconnect" option from Shut Down dialog" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove "Disconnect" option from Shut Down dialog HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11911-5]The "Remove browse dialog box for new source" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Remove browse dialog box for new source HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-12200-2UThe "Remove 'Make Available Offline'" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Remove 'Make Available Offline' HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-11182-3`The "Remove Program Compatibility Property Page" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Remove Program Compatibility Property Page HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-12585-6kThe "Remove users ability to invoke machine policy refresh" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Remove users ability to invoke machine policy refresh HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11421-5bThe "Remove Windows Security item from Start menu" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove Windows Security item from Start menu HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-12260-6rThe "Report when logon server was not available during user logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Report when logon server was not available during user logon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11308-4hThe "Re-prompt for restart with scheduled installations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Re-prompt for restart with scheduled installations HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-12088-1kThe "Require a Password When a Computer Wakes (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Require a Password When a Computer Wakes (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 CCE-11651-7kThe "Require a Password When a Computer Wakes (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Require a Password When a Computer Wakes (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 CCE-10791-2xThe "Require a PIN to access data on devices running Microsoft firmware" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows SideShow\Require a PIN to access data on devices running Microsoft firmware HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SideShow CCE-11933-9bThe "Require additional authentication at startup" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE CCE-11610-3wThe "Require domain users to elevate when setting a network's location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections CCE-11368-8VThe "Require secure RPC communication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require secure RPC communication HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11919-8SThe "Require strict KDC validation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Kerberos\Require strict KDC validation HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters CCE-12131-9oThe "Require strict target SPN match on remote procedure calls" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Kerberos\Require strict target SPN match on remote procedure calls HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters CCE-12070-9`The "Require trusted path for credential entry." machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Require trusted path for credential entry. HKEY_LOCAL_MACHINE\ CCE-11295-3yThe "Require use of specific security layer for remote (RDP) connections" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-10338-2The "Require user authentication for remote connections by using Network Level Authentication" machine setting should be configured correctly.$Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11923-0jThe "Reschedule Automatic Updates scheduled installations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11985-9XThe "Reserve Battery Notification Level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Notification Settings\Reserve Battery Notification Level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F00 CCE-11439-7UThe "Restrict Internet communication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Restrict Internet communication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InternetManagement CCE-11307-6zThe "Restrict potentially unsafe HTML Help functions to specified folders" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Restrict potentially unsafe HTML Help functions to specified folders HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-12016-2The "Restrict Remote Desktop Services users to a single Remote Desktop Services session" machine setting< should be configured correctly.!Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Restrict Remote Desktop Services users to a single Remote Desktop Services session HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11432-2MThe "Restrict system locales" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Locale Services\Restrict system locales HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International CCE-12090-7kThe "Restrict these programs from being launched from Help" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Restrict these programs from being launched from Help HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10610-4The "Restrict unpacking and installation of gadgets that are not digitally signed." machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar CCE-11380-3KThe "Restrict user locales" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Locale Services\Restrict user locales HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International CCE-10881-1bThe "Restrictions for Unauthenticated RPC clients" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clients HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc CCE-11540-2qThe "Restricts the UI language Windows uses for all logged users" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Restricts the UI language Windows uses for all logged users HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings CCE-10918-1Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Retain old events HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application CCE-10663-3Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Retain old events HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security CCE-10309-3Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Retain old events HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup CCE-11055-1Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Retain old events HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System CCE-12001-4vThe "Reverse the subject name stored in a certificate when displaying" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Reverse the subject name stored in a certificate when displaying HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider CCE-11300-1dThe "Route all traffic through the internal network" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Network Connections\Route all traffic through the internal network HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-10715-1_The "RPC Endpoint Mapper Client Authentication" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client Authentication HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc CCE-11641-8[The "RPC Troubleshooting State Information" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Troubleshooting State Information HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc CCE-10963-7UThe "Run logon scripts synchronously" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Run logon scripts synchronously HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11301-9RThe "Run shutdown scripts visible" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Run shutdown scripts visible HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11437-1XThe "Run startup scripts asynchronously" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Run startup scripts asynchronously HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-10719-3QThe "Run startup scripts visible" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Run startup scripts visible HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11114-6VThe "Run these programs at user logon" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run CCE-11612-9xThe "Run Windows PowerShell scripts first at computer startup, shutdown" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Run Windows PowerShell scripts first at computer startup, shutdown HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-10301-0pThe "Run Windows PowerShell scripts first at user logon, logoff" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Scripts\Run Windows PowerShell scripts first at user logon, logoff HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11389-4GThe "Scavenge Interval" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Scavenge Interval HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-12661-5OThe "Scripts policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Scripts policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} CCE-14153-1PThe "Security policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Security policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} CCE-11529-5QThe "Select an Active Power Plan" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Select an Active Power Plan HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings CCE-11944-6_The "Select the Lid Switch Action (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Lid Switch Action (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936 CCE-12232-5_The "Select the Lid Switch Action (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Lid Switch Action (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936 CCE-10987-6The "Select the network adapter to be used for Remote Desktop IP Virtualization" machine setting < should be configured correctly.:Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Select the network adapter to be used for Remote Desktop IP Virtualization HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP CCE-11251-6aThe "Select the Power Button Action (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Power Button Action (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280 CCE-10662-5aThe "Select the Power Button Action (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Power Button Action (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280 CCE-11832-3aThe "Select the Sleep Button Action (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Sleep Button Action (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9EB CCE-10555-1aThe "Select the Sleep Button Action (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Sleep Button Action (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9EB CCE-10682-3iThe "Selectively allow the evaluation of a symbolic link" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Filesystem\Selectively allow the evaluation of a symbolic link HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Filesystems\NTFS CCE-11833-1`The "Server Authentication Certificate Template" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-10766-4QThe "Set a support web page link" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Set a support web page link HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer CCE-11977-6\The "Set BranchCache Distributed Cache mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\BranchCache\Set BranchCache Distributed Cache mode HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching CCE-11436-3WThe "Set BranchCache Hosted Cache mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\BranchCache\Set BranchCache Hosted Cache mode HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection CCE-11677-2\The "Set client connection encryption level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-10815-9\The "Set compression algorithm for RDP data" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Set compression algorithm for RDP data HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11556-8The "Set maximum wait time for the network if a user has a roaming user profile or remote home directory" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if a user has a roaming user profile or remote home directory HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11296-1oThe "Set path for Remote Desktop Services Roaming User Profile" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles\Set path for Remote Desktop Services Roaming User Profile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11417-3qThe "Set percentage of disk space used for client computer cache" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\BranchCache\Set percentage of disk space used for client computer cache HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication CCE-11742-4dThe "Set PNRP cloud to resolve only" machine setting should be configured correctly for IPv6 Global.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds\Set PNRP cloud to resolve only HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global CCE-11524-6hThe "Set PNRP cloud to resolve only" machine setting should be configured correctly for IPv6 Link Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds\Set PNRP cloud to resolve only HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal CCE-11463-7hThe "Set PNRP cloud to resolve only" machine setting should be configured correctly for IPv6 Site Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set PNRP cloud to resolve only HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal CCE-11366-2eThe "Set Remote Desktop Services User Home Directory" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles\Set Remote Desktop Services User Home Directory HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11689-7wThe "Set roaming profile path for all users logging onto this computer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Set roaming profile path for all users logging onto this computer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11693-9{The "Set rules for remote control of Remote Desktop Services user sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Set rules for remote control of Remote Desktop Services user sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11724-2mThe "Set the Email IDs to which notifications are to be sent" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows System Resource Manager\Set the Email IDs to which notifications are to be sent HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WSRM CCE-11384-5The "Set the interval between synchronization retries for Password Synchronization" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Password Synchronization\Set the interval between synchronization retries for Password Synchronization HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PswdSync CCE-12273-9mThe "Set the map update interval for NIS subordinate servers" machine set< ting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Server for NIS\Set the map update interval for NIS subordinate servers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Server for NIS CCE-11716-8The "Set the number of synchronization retries for servers running Password Synchronization" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Password Synchronization\Set the number of synchronization retries for servers running Password Synchronization HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PswdSync CCE-10893-6[The "Set the Remote Desktop licensing mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing\Set the Remote Desktop licensing mode HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11627-7YThe "Set the Seed Server" machine setting should be configured correctly for IPv6 Global.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds\Set the Seed Server HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global CCE-10585-8]The "Set the Seed Server" machine setting should be configured correctly for IPv6 Link Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds\Set the Seed Server HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal CCE-11560-0]The "Set the Seed Server" machine setting should be configured correctly for IPv6 Site Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal CCE-11260-7dThe "Set the SMTP Server used to send notifications" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows System Resource Manager\Set the SMTP Server used to send notifications HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WSRM CCE-10876-1rThe "Set the Time interval in minutes for logging accounting data" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows System Resource Manager\Set the Time interval in minutes for logging accounting data HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WSRM CCE-11506-3yThe "Set time limit for active but idle Remote Desktop Services sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for active but idle Remote Desktop Services sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11326-6pThe "Set time limit for active Remote Desktop Services sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for active Remote Desktop Services sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11117-9^The "Set time limit for disconnected sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for disconnected sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12003-0eThe "Set time limit for logoff of RemoteApp sessions" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11012-2JThe "Set timer resolution" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Set timer resolution HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Psched CCE-11500-6The "Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS\Throttling CCE-11181-5The "Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS)\Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS\Throttling CCE-10907-4`The "Sets how often a DFS Client discovers DC's" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Sets how often a DFS Client discovers DC's HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DFSClient CCE-12312-5QThe "Short name creation options" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Filesystem\NTFS\Short name creation options HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies CCE-11371-2?The "Site Name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Site Name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-10920-7The "Sites Covered by the Application Directory Partition Locator DNS SRV Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Sites Covered by the Application Directory Partition Locator DNS SRV Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-12086-5eThe "Sites Covered by the DC Locator DNS SRV Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Sites Covered by the DC Locator DNS SRV Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11208-6eThe "Sites Covered by the GC Locator DNS SRV Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Sites Covered by the GC Locator DNS SRV Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11942-0gThe "Slow network connection timeout for user profiles" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Slow network connection timeout for user profiles HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-13580-6]The "Software Installation policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Software Installation policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f7} CCE-11723-4QThe "Solicited Remote Assistance" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services CCE-10505-6XThe "Specify a Custom Active Po< wer Plan" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Specify a Custom Active Power Plan HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings CCE-11324-1MThe "Specify a default color" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Window Manager\Window Frame Coloring\Specify a default color HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DWM CCE-11875-2cThe "Specify channel binding token hardening level" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Specify channel binding token hardening level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-11945-3JThe "Specify idle Timeout" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Specify idle Timeout HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-10416-6hThe "Specify intranet Microsoft update service location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-10374-7fThe "Specify maximum amount of memory in MB per Shell" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Specify maximum amount of memory in MB per Shell HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-11614-5cThe "Specify maximum number of processes per Shell" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Specify maximum number of processes per Shell HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-10964-5fThe "Specify maximum number of remote shells per user" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Specify maximum number of remote shells per user HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-11787-9mThe "Specify search order for device driver source locations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Specify search order for device driver source locations HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching CCE-11470-2The "Specify SHA1 thumbprints of certificates representing trusted .rdp publishers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Specify SHA1 thumbprints of certificates representing trusted .rdp publishers HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11339-9KThe "Specify Shell Timeout" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Specify Shell Timeout HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS CCE-12044-4eThe "Specify the Display Dim Brightness (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Specify the Display Dim Brightness (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96 CCE-11271-4eThe "Specify the Display Dim Brightness (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Specify the Display Dim Brightness (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96 CCE-11798-6gThe "Specify the System Hibernate Timeout (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Specify the System Hibernate Timeout (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364 CCE-11932-1gThe "Specify the System Hibernate Timeout (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Specify the System Hibernate Timeout (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364 CCE-11605-3cThe "Specify the System Sleep Timeout (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Specify the System Sleep Timeout (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA CCE-11608-7cThe "Specify the System Sleep Timeout (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Specify the System Sleep Timeout (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA CCE-11658-2gThe "Specify the Unattended Sleep Timeout (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Specify the Unattended Sleep Timeout (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 CCE-10757-3gThe "Specify the Unattended Sleep Timeout (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Specify the Unattended Sleep Timeout (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 CCE-11190-6`The "Specify Windows installation file location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Specify Windows installation file location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Setup CCE-11415-7mThe "Specify Windows Service Pack installation file location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Specify Windows Service Pack installation file location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Setup CCE-11076-7LThe "SSL Cipher Suite Order" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\SSL Configuration Settings\SSL Cipher Suite Order HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 CCE-10827-4SThe "Start a program on connection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Start a program on connection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-12994-0YThe "Startup policy processing wait time" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Startup policy processing wait time HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-12269-7eThe "Switch to the Simplified Chinese (PRC) gestures" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\Switch to the Simplified Chinese (PRC) gestures HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1< .7 CCE-10914-0PThe "Sysvol share compatibility" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\Sysvol share compatibility HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11669-9|The "Tag Windows Customer Experience Improvement data with Study Identifier" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Customer Experience Improvement Program\Tag Windows Customer Experience Improvement data with Study Identifier HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows CCE-12345-5VThe "Tape Drives: Deny execute access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Tape Drives: Deny execute access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} CCE-10942-1SThe "Tape Drives: Deny read access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Tape Drives: Deny read access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} CCE-10717-7TThe "Tape Drives: Deny write access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Tape Drives: Deny write access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} CCE-12099-8HThe "Teredo Client Port" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo Client Port HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11737-4NThe "Teredo Default Qualified" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo Default Qualified HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11759-8IThe "Teredo Refresh Rate" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo Refresh Rate HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11770-5HThe "Teredo Server Name" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo Server Name HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11865-3BThe "Teredo State" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition CCE-11159-1dThe "Terminate session when time limits are reached" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Terminate session when time limits are reached HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11732-5WThe "Time (in seconds) to force reboot" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\Time (in seconds) to force reboot HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices CCE-10358-0The "Time (in seconds) to force reboot when required for policy changes to take effect" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Time (in seconds) to force reboot when required for policy changes to take effect HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions CCE-10928-0\The "Timeout for fast user switching events" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Biometrics\Timeout for fast user switching events HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider CCE-10468-7eThe "Timeout for hung logon sessions during shutdown" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Shutdown Options\Timeout for hung logon sessions during shutdown HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-10831-6PThe "Traps for public community" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\SNMP\Traps for public community HKEY_LOCAL_MACHINE\Software\Policies\SNMP\Parameters\TrapConfiguration\public CCE-11253-2|The "Troubleshooting: Allow users to access and run Troubleshooting Wizards" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\Troubleshooting: Allow users to access and run Troubleshooting Wizards HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics CCE-11161-7The "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy CCE-11013-0CThe "Trusted Hosts" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Trusted Hosts HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client CCE-11542-8KThe "Try Next Closest Site" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Try Next Closest Site HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11343-1VThe "TTL Set in the A and PTR records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\TTL Set in the A and PTR records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-12105-3[The "TTL Set in the DC Locator DNS Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\TTL Set in the DC Locator DNS Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-10565-0wThe "Turn off "Found New Hardware" balloons during device installation" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Device Installation\Turn off "Found New Hardware" balloons during device installation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings CCE-11310-0dThe "Turn off access to all Windows Update features" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to all Windows Update features HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate CCE-11639-2oThe "Turn off access to the OEM and Microsoft branding section" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Performance Control Panel\Turn off access to the OEM and Microsoft branding < section HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Control Panel\Performance Control Panel CCE-11795-2lThe "Turn off access to the performance center core section" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Performance Control Panel\Turn off access to the performance center core section HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Control Panel\Performance Control Panel CCE-12078-2vThe "Turn off access to the solutions to performance problems section" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Performance Control Panel\Turn off access to the solutions to performance problems section HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Control Panel\Performance Control Panel CCE-11609-5JThe "Turn off Active Help" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Online Assistance\Turn off Active Help HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0 CCE-11451-2dThe "Turn Off Adaptive Display Timeout (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn Off Adaptive Display Timeout (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335B CCE-11145-0dThe "Turn Off Adaptive Display Timeout (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn Off Adaptive Display Timeout (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335B CCE-11337-3_The "Turn off Application Compatibility Engine" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Application Compatibility Engine HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-11002-3TThe "Turn off Application Telemetry" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Application Telemetry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-10627-8hThe "Turn off AutoComplete integration with Input Panel" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\Turn off AutoComplete integration with Input Panel HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-12123-6QThe "Turn off automatic learning" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Handwriting personalization\Turn off automatic learning HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization CCE-11264-9aThe "Turn off Automatic Root Certificates Update" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Automatic Root Certificates Update HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot CCE-10823-3The "Turn off automatic termination of applications that block or cancel shutdown" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Shutdown Options\Turn off automatic termination of applications that block or cancel shutdown HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11419-9MThe "Turn off automatic wake" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows SideShow\Turn off automatic wake HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SideShow CCE-11126-0GThe "Turn off Autoplay" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11375-3^The "Turn off Autoplay for non-volume devices" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay for non-volume devices HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer CCE-14437-8aThe "Turn off background refresh of Group Policy" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11416-5\The "Turn Off Boot and Resume Optimizations" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk NV Cache\Turn Off Boot and Resume Optimizations HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NvCache CCE-11990-9OThe "Turn Off Cache Power Mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk NV Cache\Turn Off Cache Power Mode HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NvCache CCE-11168-2LThe "Turn off Configuration" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\System Restore\Turn off Configuration HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore CCE-11372-0]The "Turn off Connect to a Network Projector" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Network Projector\Turn off Connect to a Network Projector HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\NetworkProjector CCE-10895-1eThe "Turn off creation of System Restore Checkpoints" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Turn off creation of System Restore Checkpoints HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer CCE-12161-6eThe "Turn off Data Execution Prevention for Explorer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off Data Execution Prevention for Explorer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer CCE-11317-5qThe "Turn off Data Execution Prevention for HTML Help Executible" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Turn off Data Execution Prevention for HTML Help Executible HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10801-9NThe "Turn off desktop gadgets" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Turn off desktop gadgets HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar CCE-11739-0^The "Turn off downloading of game information" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off downloading of game information HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameUX CCE-11563-4eThe "Turn off downloading of print drivers over HTTP" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-10693-0^The "Turn off Event Viewer "Events.asp" links" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Event Viewer "Events.asp" links HKEY_LOCAL_MACHINE\Sof< tware\Policies\Microsoft\EventViewer CCE-11203-7XThe "Turn off Fair Share CPU Scheduling" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Turn off Fair Share CPU Scheduling HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SessionManager\DFSS CCE-11292-0QThe "Turn off Federation Service" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Active Directory Federation Services\Turn off Federation Service HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ADFS CCE-11807-5KThe "Turn off game updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off game updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameUX CCE-11030-4fThe "Turn off handwriting recognition error reporting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting recognition error reporting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports CCE-12064-2OThe "Turn off hardware buttons" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Hardware Buttons\Turn off hardware buttons HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-10981-9]The "Turn off heap termination on corruption" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off heap termination on corruption HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer CCE-11812-5nThe "Turn off Help and Support Center "Did you know?" content" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help and Support Center "Did you know?" content HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc CCE-11544-4vThe "Turn off Help and Support Center Microsoft Knowledge Base search" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help and Support Center Microsoft Knowledge Base search HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc CCE-11204-5XThe "Turn Off Hybrid Sleep (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Turn Off Hybrid Sleep (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e CCE-11397-7XThe "Turn Off Hybrid Sleep (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Turn Off Hybrid Sleep (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e CCE-12082-4The "Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard CCE-11136-9The "Turn off Internet download for Web publishing and online ordering wizards" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-10697-1`The "Turn off Internet File Association service" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet File Association service HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11458-7_The "Turn off legacy remote shutdown interface" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Shutdown Options\Turn off legacy remote shutdown interface HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-13373-6dThe "Turn off Local Group Policy objects processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Turn off Local Group Policy objects processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11367-0GThe "Turn off location" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Location and Sensors\Turn off location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors CCE-11040-3QThe "Turn off location scripting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Location and Sensors\Turn off location scripting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors CCE-11158-3\The "Turn Off Low Battery User Notification" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Notification Settings\Turn Off Low Battery User Notification HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\bcded951-187b-4d05-bccc-f7e51960c258 CCE-11604-6iThe "Turn off Microsoft Peer-to-Peer Networking Services" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet CCE-11270-6bThe "Turn off Multicast Bootstrap" machine setting should be configured correctly for IPv6 Global.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds\Turn off Multicast Bootstrap HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global CCE-10962-9fThe "Turn off Multicast Bootstrap" machine setting should be configured correctly for IPv6 Link Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds\Turn off Multicast Bootstrap HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal CCE-11186-4fThe "Turn off Multicast Bootstrap" machine setting should be configured correctly for IPv6 Site Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Turn off Multicast Bootstrap HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal CCE-11472-8XThe "Turn off Multicast Name Resolution" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11823-2YThe "Turn Off Non Volatile Cache Feature" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk NV Cache\Turn Off Non Volatile Cache Feature HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NvCache CCE-11588-1dThe "Turn off numerical sorting in Windows Explorer" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Win< dows Explorer\Turn off numerical sorting in Windows Explorer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11616-0_The "Turn off password security in Input Panel" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Input Panel\Turn off password security in Input Panel HKEY_LOCAL_MACHINE\software\policies\microsoft\TabletTip\1.7 CCE-12255-6KThe "Turn off pen feedback" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Cursors\Turn off pen feedback HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11950-3bThe "Turn off PNRP cloud creation" machine setting should be configured correctly for IPv6 Global.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds\Turn off PNRP cloud creation HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global CCE-10333-3fThe "Turn off PNRP cloud creation" machine setting should be configured correctly for IPv6 Link Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds\Turn off PNRP cloud creation HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal CCE-12065-9fThe "Turn off PNRP cloud creation" machine setting should be configured correctly for IPv6 Site Local.Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Turn off PNRP cloud creation HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal CCE-11360-5QThe "Turn off printing over HTTP" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers CCE-11175-7UThe "Turn off Problem Steps Recorder" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Problem Steps Recorder HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-11757-2^The "Turn off Program Compatibility Assistant" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Program Compatibility Assistant HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-11043-7PThe "Turn off Program Inventory" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Program Inventory HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-11748-1SThe "Turn off Real-Time Monitoring" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Turn off Real-Time Monitoring HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-time Protection CCE-11112-0{The "Turn off Registration if URL connection is referring to Microsoft.com" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control CCE-10813-4TThe "Turn off restore functionality" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Client\Turn off restore functionality HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client CCE-14285-1^The "Turn off Resultant Set of Policy logging" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Turn off Resultant Set of Policy logging HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-10836-5VThe "Turn off Routinely Taking Action" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Turn off Routinely Taking Action HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender CCE-10889-4dThe "Turn off Search Companion content file updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion CCE-11409-0FThe "Turn off sensors" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Location and Sensors\Turn off sensors HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors CCE-11530-3\The "Turn off shell protocol protected mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off shell protocol protected mode HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11938-8OThe "Turn Off Solid State Mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Disk NV Cache\Turn Off Solid State Mode HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NvCache CCE-11424-9^The "Turn off SwitchBack Compatibility Engine" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off SwitchBack Compatibility Engine HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat CCE-11725-9MThe "Turn off System Restore" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\System Restore\Turn off System Restore HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore CCE-10929-8TThe "Turn off Tablet PC touch input" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Touch Input\Turn off Tablet PC touch input HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11243-3^The "Turn off the "Order Prints" picture task" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-11587-3nThe "Turn off the "Publish to Web" task for files and folders" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer CCE-12354-7`The "Turn off the ability to back up data files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Client\Turn off the ability to back up data files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client CCE-12103-8cThe "Turn off the ability to create a system image" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Backup\Client\Turn off the ability to create a system image HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client CCE-10366-3WThe "Turn off the communities features" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Mail\Turn off the communities features HKEY_LOCAL_MACHI< NE\SOFTWARE\Policies\Microsoft\Windows Mail CCE-10647-6WThe "Turn Off the Display (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn Off the Display (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E CCE-12282-0WThe "Turn Off the Display (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn Off the Display (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E CCE-12139-2YThe "Turn Off the Hard Disk (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Hard Disk Settings\Turn Off the Hard Disk (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E CCE-11921-4YThe "Turn Off the Hard Disk (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Hard Disk Settings\Turn Off the Hard Disk (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E CCE-11958-6|The "Turn off the Windows Messenger Customer Experience Improvement Program" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client CCE-11156-7LThe "Turn off Touch Panning" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Tablet PC\Touch Input\Turn off Touch Panning HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TabletPC CCE-11763-0vThe "Turn off tracking of last play time of games in the Games folder" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off tracking of last play time of games in the Games folder HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameUX CCE-11727-5]The "Turn Off user-installed desktop gadgets" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar CCE-11354-8nThe "Turn off Windows Customer Experience Improvement Program" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows CCE-10517-1OThe "Turn off Windows Defender" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Turn off Windows Defender HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender CCE-11750-7VThe "Turn off Windows Error Reporting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Error Reporting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting CCE-11467-8OThe "Turn off Windows HotStart" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Windows HotStart\Turn off Windows HotStart HKEY_LOCAL_MACHINE\Software\policies\Microsoft\System\HotStart CCE-11987-5bThe "Turn off Windows Installer RDS Compatibility" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn off Windows Installer RDS Compatibility HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\TSMSI CCE-11123-7WThe "Turn off Windows Mail application" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Mail\Turn off Windows Mail application HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail CCE-11358-9VThe "Turn off Windows Mobility Center" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Mobility Center\Turn off Windows Mobility Center HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter CCE-12049-3yThe "Turn off Windows Network Connectivity Status Indicator active tests" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Network Connectivity Status Indicator active tests HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator CCE-11574-1\The "Turn off Windows presentation settings" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Presentation Settings\Turn off Windows presentation settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings CCE-11404-1OThe "Turn off Windows SideShow" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows SideShow\Turn off Windows SideShow HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SideShow CCE-11082-5TThe "Turn off Windows Startup Sound" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Logon\Turn off Windows Startup Sound HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-11319-1iThe "Turn off Windows Update device driver search prompt" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Driver Installation\Turn off Windows Update device driver search prompt HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching CCE-10357-2eThe "Turn off Windows Update device driver searching" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Update device driver searching HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching CCE-11176-5QThe "Turn on Accounting for WSRM" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows System Resource Manager\Turn on Accounting for WSRM HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WSRM CCE-11183-1TThe "Turn on bandwidth optimization" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Assistance\Turn on bandwidth optimization HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services CCE-11222-7IThe "Turn on BranchCache" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\BranchCache\Turn on BranchCache HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PeerDist\Service CCE-10998-3eThe "Turn on certificate propagation from smart card" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on certificate propagation from smart card HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp CCE-10621-1YThe "Turn On Compatibility HTTP Listener" machine setting should be configured correctly.Computer Configuration\Administr< ative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Turn On Compatibility HTTP Listener HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-12157-4ZThe "Turn On Compatibility HTTPS Listener" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Turn On Compatibility HTTPS Listener HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service CCE-10587-4The "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Turn on definition updates through both WSUS and the Microsoft Malware Protection Center HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates CCE-11880-2uThe "Turn on definition updates through both WSUS and Windows Update" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Turn on definition updates through both WSUS and Windows Update HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates CCE-11200-3gThe "Turn On Desktop Background Slideshow (On Battery)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn On Desktop Background Slideshow (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4 CCE-10885-2gThe "Turn On Desktop Background Slideshow (Plugged In)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn On Desktop Background Slideshow (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4 CCE-11293-8The "Turn on economical application of administratively assigned Offline Files" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Offline Files\Turn on economical application of administratively assigned Offline Files HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetCache CCE-12251-5The "Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Server for NIS\Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Server for NIS CCE-10442-2lThe "Turn on extensive logging for Password Synchronization" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Password Synchronization\Turn on extensive logging for Password Synchronization HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PswdSync CCE-10958-7EThe "Turn on logging" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Turn on logging HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup CCE-10484-4XThe "Turn on Mapper I/O (LLTDIO) driver" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD CCE-11648-3gThe "Turn on recommended updates via Automatic Updates" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Turn on recommended updates via Automatic Updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11205-2^The "Turn on Remote Desktop IP Virtualization" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn on Remote Desktop IP Virtualization HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP CCE-11304-3WThe "Turn on Responder (RSPNDR) driver" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD CCE-11907-3jThe "Turn on root certificate propagation from smart card" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on root certificate propagation from smart card HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp CCE-10698-9NThe "Turn on Script Execution" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn on Script Execution HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell CCE-11211-0_The "Turn on Security Center (Domain PCs only)" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Security Center\Turn on Security Center (Domain PCs only) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Security Center CCE-11263-1MThe "Turn on session logging" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Remote Assistance\Turn on session logging HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services CCE-10335-8^The "Turn on Smart Card Plug and Play service" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on Smart Card Plug and Play service HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP CCE-10991-8TThe "Turn on Software Notifications" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Update\Turn on Software Notifications HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU CCE-11731-7The "Turn on the Ability for Applications to Prevent Sleep Transitions (On Battery)" machine setting should be configured correctly. Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Turn on the Ability for Applications to Prevent Sleep Transitions (On Battery) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1 CCE-11578-2The "Turn on the Ability for Applications to Prevent Sleep Transitions (Plugged In)" machine setting should be configured correctly. Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Turn on the Ability for Applications to Prevent Sleep Transitions (Plugged In) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1 CCE-11255-7The "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Password Synchronization\Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PswdSync CCE-11567-5lThe "Turn on TPM backup to Active Directory Domain Services" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Turn on TPM backup to Active Directory Domain Services HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM CCE-11037-9KThe "Update Security Level" machine setting should be configured correctly.Computer Configu< ration\Administrative Templates\Network\DNS Client\Update Security Level HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-11244-1SThe "Update Top Level Domain Zones" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\DNS Client\Update Top Level Domain Zones HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient CCE-10722-7Computer Configuration\Administrative Templates\System\KDC\Use forest search order HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters CCE-11191-4Computer Configuration\Administrative Templates\System\Kerberos\Use forest search order HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters CCE-11099-9PThe "Use IP Address Redirection" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use IP Address Redirection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11331-6The "Use localized subfolder names when redirecting Start Menu and My Documents" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Folder Redirection\Use localized subfolder names when redirecting Start Menu and My Documents HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Fdeploy CCE-11804-2jThe "Use mandatory profiles on the RD Session Host server" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles\Use mandatory profiles on the RD Session Host server HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11558-4]The "Use RD Connection Broker load balancing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use RD Connection Broker load balancing HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11230-0hThe "Use Remote Desktop Easy Print printer driver first" machine setting should be configured correctly. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Use Remote Desktop Easy Print printer driver first HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-11403-3fThe "Use the specified Remote Desktop license servers" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing\Use the specified Remote Desktop license servers HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services CCE-13295-1`The "User Group Policy loopback processing mode" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11405-8kThe "Validate smart card certificate usage rule compliance" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE CCE-11385-2WThe "Verbose vs normal status messages" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Verbose vs normal status messages HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System CCE-12328-1The "Verify old and new Folder Redirection targets point to the same share before redirecting" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Verify old and new Folder Redirection targets point to the same share before redirecting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer CCE-10934-8RThe "Wait for remote user profile" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\User Profiles\Wait for remote user profile HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System CCE-11561-8bThe "Weight Set in the DC Locator DNS SRV Records" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records\Weight Set in the DC Locator DNS SRV Records HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters CCE-11768-9VThe "Windows Scaling Heuristics State" machine setting should be configured correctly.Computer Configuration\Administrative Templates\Network\TCPIP Settings\Parameters\Windows Scaling Heuristics State HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters CCE-13394-2MThe "Wired policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Wired policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} CCE-14616-7PThe "Wireless policy processing" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Group Policy\Wireless policy processing HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} CCE-11974-3SThe "WPD Devices: Deny read access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\WPD Devices: Deny read access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} CCE-11070-0TThe "WPD Devices: Deny write access" machine setting should be configured correctly.Computer Configuration\Administrative Templates\System\Removable Storage Access\WPD Devices: Deny write access HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33}HMicrosoft Security Compliance Manager (SCM) Baselines and Settings Packsenabled/disabled CCE-10575-9hAuditing of 'Audit account logon events' events on success should be enabled or disabled as appropriate. CCE-10689-8hAuditing of 'Audit account logon events' events on failure should be enabled or disabled as appropriate. CCE-11051-0fAuditing of 'Audit account management' events on failure should be enabled or disabled as appropriate. CCE-10222-8fAuditing of 'Audit account management' events on success should be enabled or disabled as appropriate. CCE-10808-4lAuditing of 'Audit directory service access' events on failure should be enabled or disabled as appropriate. CCE-10209-5lAuditing of 'Audit directory service access' events on success should be enabled or disabled as appropriate. CCE-10707-8`Auditing of 'Audit logon events' events on failure should be enabled or disabled as appropriate. CCE-10213-7`Auditing of 'Audit logon events' events on success should be enabled or disabled as appropriate. CCE-10848-0aAuditing of 'Audit object access' events on success should be enabled or disabled as appropriate. CCE-11068-4aAuditing of 'Audit object access' events on failure should be enabled or disabled as appropriate. CCE-10826-6aAuditing of 'Audit policy change' events on failure should be enabled or disabled as appropriate. CCE-10803-5aAuditing of 'Audit policy change' events on success should be enabled or disabled as appropriate. CCE-10971-0aAuditing of 'Audit privilege use' events on failure should be enabled or disabled as appropriate. CCE-9932-5aAuditing of 'Audit privilege use' events on success should be enabled or disabled as appropriate. CCE-10601-3dAuditing of 'Audit process tracking' events< on failure should be enabled or disabled as appropriate. CCE-10060-2dAuditing of 'Audit process tracking' events on success should be enabled or disabled as appropriate. CCE-10923-1aAuditing of 'Audit system events' events on success should be enabled or disabled as appropriate. CCE-10716-9aAuditing of 'Audit system events' events on failure should be enabled or disabled as appropriate. CCE-9972-1nThe 'Access Credential Manager as a trusted caller' user right should be assigned to the appropriate accounts.list of accounts CCE-10086-7fThe 'Access this computer from the network' user right should be assigned to the appropriate accounts. CCE-10232-7dThe 'Act as part of the operating system' user right should be assigned to the appropriate accounts. CCE-10862-1YThe "add workstations to domain" user right should be assigned to the correct accounts. CCE-10849-8cThe 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts. CCE-10853-0UThe 'Allow log on locally' user right should be assigned to the appropriate accounts. CCE-10858-9mThe 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-10880-3^The 'Back up files and directories' user right should be assigned to the appropriate accounts. CCE-10369-7YThe 'Bypass traverse checking' user right should be assigned to the appropriate accounts. CCE-10122-0WThe 'Change the system time' user right should be assigned to the appropriate accounts. CCE-10897-7UThe 'Change the time zone' user right should be assigned to the appropriate accounts. CCE-9937-4RThe 'Create a pagefile' user right should be assigned to the appropriate accounts. CCE-10770-6VThe 'Create a token object' user right should be assigned to the appropriate accounts. CCE-10792-0VThe 'Create global objects' user right should be assigned to the appropriate accounts. CCE-10796-1`The 'Create permanent shared objects' user right should be assigned to the appropriate accounts. CCE-10911-6VThe 'Create symbolic links' user right should be assigned to the appropriate accounts. CCE-10915-7OThe 'Debug programs' user right should be assigned to the appropriate accounts. CCE-10733-4nThe 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-10596-5[The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-10226-9YThe 'Deny log on as a service' user right should be assigned to the appropriate accounts. CCE-10750-8TThe 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-10878-7lThe 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-10618-7The 'Enable computer and user accounts to be trusted for delegation' user right should be assigned to the appropriate accounts. CCE-10785-4dThe 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts. CCE-10274-9YThe 'Generate security audits' user right should be assigned to the appropriate accounts. CCE-9946-5jThe 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts. CCE-10548-6_The 'Increase a process working set' user right should be assigned to the appropriate accounts. CCE-9961-4]The 'Increase scheduling priority' user right should be assigned to the appropriate accounts. CCE-10202-0_The 'Load and unload device drivers' user right should be assigned to the appropriate accounts. CCE-10955-3UThe 'Lock pages in memory' user right should be assigned to the appropriate accounts. CCE-10549-4VThe 'Log on as a batch job' user right should be assigned to the appropriate accounts. CCE-10845-6TThe 'Log on as a service' user right should be assigned to the appropriate accounts. CCE-10726-8aThe 'Manage auditing and security log' user right should be assigned to the appropriate accounts. CCE-10567-6WThe 'Modify an object label' user right should be assigned to the appropriate accounts. CCE-10659-1cThe 'Modify firmware environment values' user right should be assigned to the appropriate accounts. CCE-9984-6aThe 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts. CCE-10458-8WThe 'Profile single process' user right should be assigned to the appropriate accounts. CCE-10193-1[The 'Profile system performance' user right should be assigned to the appropriate accounts. CCE-10969-4eThe 'Remove computer from docking station' user right should be assigned to the appropriate accounts. CCE-10599-9^The 'Replace a process level token' user right should be assigned to the appropriate accounts. CCE-10805-0^The 'Restore files and directories' user right should be assigned to the appropriate accounts. CCE-10439-8UThe 'Shut down the system' user right should be assigned to the appropriate accounts. CCE-10932-2PThe "Synchronize directory service data" setting should be configured correctly.(1) enabled/disabled CCE-10954-6iThe 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts. CCE-10571-8TThe 'Accounts: Administrator account status' setting should be configured correctly. CCE-9989-5LThe 'Accounts: Guest account status' setting should be configured correctly. CCE-9992-9xThe 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly.enabled/disabled CCE-10976-9?The built-in Administrator account should be correctly named. account name CCE-10747-47The built-in Guest account should be correctly named. CCE-10487-7^The 'Audit: Audit the access of global system objects' setting should be configured correctly. CCE-10619-5bThe 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly. CCE-10112-1The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configured correctly. CCE-10742-5rThe 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-10139-4ERights to access DCOM applications should be assigned as appropriate.E(1) users and/or groups (2) allow/deny (3) local access/remote access CCE-10896-9QRights to activate or launch DCOM applications should be assigned as appropriate.h(1) users and/or groups (2) allow/deny (3) local launch/remote launch/local activation/remote activation CCE-10883-7\The 'Devices: Allow undock without having to log on' setting should be configured correctly. CCE-10637-7bThe 'Devices: Allowed to format and eject removable media' setting should be configured correctly.RAdministrators/Administrators and Power Users/Administrators and Interactive Users CCE-9999-4dThe 'Devices: Prevent users from installing printer drivers' setting should be configured correctly. CCE-10780-5lThe 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly. CCE-10912-4lThe 'Devices: Restrict floppy access to locally logged-on user only' setting should be configured correctly. CCE-10683-1iThe "Domain Controller: Allow server operators to schedule tasks" setting should be configured correctly. CCE-10423-2aThe "Domain Controller: LDAP server signing requirements" setting should be configured correctly.None/Require signing CCE-10802-7hThe "Domain Controller: Refuse machine account password changes" setting should be configured correctly. enabled/disabled CCE-10871-2sThe 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. CCE-10875-3rThe 'Domain member: Digitally encrypt secure channel data (when possible)' setting should be configured correctly. CCE-10009-9oThe 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly. CCE-10775-5eThe 'Domain membe< r: Disable machine account password changes' setting should be configured correctly. CCE-10903-3aThe 'Domain member: Maximum machine account password age' setting should be configured correctly.number of days CCE-10541-1oThe 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-10158-4uThe 'Interactive logon: Display user information when the session is locked.' setting should be configured correctly. CCE-10788-8^The 'Interactive logon: Do not display last user name' setting should be configured correctly. CCE-10810-0\The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-10673-2lThe 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly.string CCE-10010-7mThe 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly. CCE-10926-4The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly.number of logons CCE-10930-6qThe 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly."number of days prior to expiration CCE-10705-2The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly. CCE-10833-2SThe 'Interactive logon: Require smart card' setting should be configured correctly. CCE-10573-4\The 'Interactive logon: Smart card removal behavior' setting should be configured correctly.XNo Action/Lock Workstation/Force Logoff/Disconnect if a remote Terminal Services session CCE-10970-2nThe 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. CCE-10974-4xThe 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly. CCE-10838-1|The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly. CCE-10362-2~The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly.number of minutes CCE-10992-6nThe 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. CCE-10978-5xThe 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly. CCE-10983-5rThe 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. CCE-10617-9oThe 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly.5Off/Accept if provided by client/Required from client CCE-10745-8lThe 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly. CCE-10732-6The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly.6allowed/ignored when IP forwarding is enabled/disabled CCE-10888-6The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-10518-9~The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly. CCE-10751-6The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly. CCE-10381-2xThe 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly.frequency in milliseconds CCE-10018-0The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly.Allow all exceptions (least secure)/Multicast, broadcast, and ISAKMP are exempt (Best for Windows XP)/RSVP, Kerberos, and ISAKMP are excempt/Only ISAKMP is excempt (recommended for Windows Server 2003)/Disabled CCE-10653-4The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly. CCE-10781-3The 'MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)' setting should be configured correctly. CCE-10768-0The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configured correctly.NEnable only if DHCP sends the Perform Router Discovery option/Enabled/Disabled CCE-10772-2pThe 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly. CCE-10799-5 CCE-10019-8The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.number of seconds CCE-10936-3 CCE-10941-3The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly.number of retransmissions CCE-10804-3The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-11011-4The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly.&log capacity threshold as a percentage CCE-10024-8bThe 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly. CCE-10027-1pThe 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly. CCE-10557-7{The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly. CCE-10292-1The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly. CCE-10297-0oThe 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-10944-7jThe 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly.list of named pipes CCE-10949-6`The 'Network access: Remotely accessible registry paths' setting should be configured correctly. set of paths CCE-10935-5nThe 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly. CCE-10940-5qThe 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-10821-7eThe 'Network access: Shares that can be accessed anonymously' setting should be configured correctly. set of shares CCE-10825-8kThe 'Network access: Sharing and security model for local accounts' setting should be configured correctly.Classic/Guest only CCE-10812-6gThe 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly. CCE-10817-5tThe 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly. CCE-10839-9The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly. CCE-10843-1oThe 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly. CCE-10830-8{The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly. CCE-10588-2dThe 'Network security: Force logoff when logon hours expire' setting should be configured correctly. CCE-10984-3`The 'Network security: LAN Manager authentication level' setting should be configured correctly.authentication level CCE-10614-6`The 'Network security: LDAP c< lient signing requirements' setting should be configured correctly.&None/Negotiate signing/Require signing CCE-10035-4 CCE-18889-6The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-18983-7The 'Require message confidentiality' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-18973-8The 'Require NTLMv2 session security' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-18808-6The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-10040-4 CCE-18949-8The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-18927-4The 'Require message confidentiality' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-18664-3The 'Require NTLMv2 session security' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-18944-9The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-10640-1The 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' setting should be configured correctly.list of servers CCE-10045-3sThe 'Network Security: Restrict NTLM: Add server exceptions in this domain' setting should be configured correctly. CCE-10053-7jThe 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' setting should be configured correctly. CCE-10057-8qThe 'Network Security: Restrict NTLM: NTLM authentication in this domain' setting should be configured correctly.mDisabled/Deny for domain accounts to domain servers/deny for domain accounts/deny for domain servers/Deny all CCE-10087-5dThe 'Network Security: Restrict NTLM: Incoming NTLM traffic' setting should be configured correctly.4Allow all/Deny all domain accounts/Deny all accounts CCE-10229-3 CCE-10859-7vThe 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' setting should be configured correctly.Allow all/Audit all/Deny all CCE-10370-5dThe 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-10643-5zThe 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-10419-0mThe 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-11049-4UThe 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly. CCE-11035-3The 'System cryptography: Force strong key protection for user keys stored on the computer' setting should be configured correctly. CCE-10789-6The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly. CCE-10986-8sThe 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. CCE-11010-6The 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' setting should be configured correctly. CCE-10913-2RThe 'System settings: Optional subsystems' setting should be configured correctly.List of subsystems CCE-10900-9The 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' setting should be configured correctly. CCE-11028-8~The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-10534-6The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly. CCE-11023-9The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly.Elevate without prompting/Prompt for credentials on the secure desktop/Prompt for consent on the secure desktop/Prompt for credentials/Prompt for consent/Prompt for consent for non-Windows binaries CCE-10807-6wThe 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly.<Prompt for credentials/Automatically deny elevation requests CCE-10794-6}The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly. CCE-10922-3zThe 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-10570-0The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly. CCE-10684-9qThe 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly. CCE-10109-7}The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-10865-4The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly. CCE-10482-8YThe Windows Firewall should be enabled or disabled as appropriate for the Domain Profile. CCE-10997-5lWindows Firewall should allow or block inbound connections by default as appropriate for the Domain Profile. allow/block CCE-10113-9mWindows Firewall should allow or block outbound connections by default as appropriate for the Domain Profile. CCE-11019-7Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the domain profile. CCE-11041-1xUnicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile. CCE-10798-7bThe 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly.yes/no CCE-11036-1mThe 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. CCE-11103-9ZThe Windows Firewall should be enabled or disabled as appropriate for the Private Profile. CCE-10857-1mWindows Firewall should allow or block inbound connections by default as appropriate for the Private Profile. CCE-10123-8nWindows Firewall should allow or block outbound connections by default as appropriate for the Private Profile. CCE-10631-0Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the private profile. CCE-10127-9yUnicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile. CCE-10131-1cThe 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. CCE-10921-5nThe 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. CCE-11050-2YThe Windows Firewall should be enabled or disabled as appropriate for the Public Profile. CCE-10171-7lWindows Firewall should allow or block inbound connections by default as appropriate for the Public Profile. CCE-10481-0mWindows Firewall should allow or block outbound connections by default as appropriate for the Public Profile. CCE-11120-3Display of a notification to the user when Windows Firewa< ll blocks network activity should be enabled or disabled as appropriate for the public profile. CCE-10873-8xUnicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile. CCE-10188-1bThe 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. CCE-10529-6mThe 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly. CCE-10738-3rAuditing of 'Account Logon: Credential Validation' events on failure should be enabled or disabled as appropriate. CCE-10192-3rAuditing of 'Account Logon: Credential Validation' events on success should be enabled or disabled as appropriate. CCE-11079-1|Auditing of 'Account Logon: Kerberos Authentication Service' events on success should be enabled or disabled as appropriate. CCE-10233-5|Auditing of 'Account Logon: Kerberos Authentication Service' events on failure should be enabled or disabled as appropriate. CCE-10196-4Auditing of 'Account Logon: Kerberos Service Ticket Operations' events on success should be enabled or disabled as appropriate. CCE-10237-6Auditing of 'Account Logon: Kerberos Service Ticket Operations' events on failure should be enabled or disabled as appropriate. CCE-10755-7wAuditing of 'Account Logon: Other Account Logon Events' events on failure should be enabled or disabled as appropriate. CCE-10445-5wAuditing of 'Account Logon: Other Account Logon Events' events on success should be enabled or disabled as appropriate. CCE-10746-6~Auditing of 'Account Management: Application Group Management' events on success should be enabled or disabled as appropriate. CCE-10752-4~Auditing of 'Account Management: Application Group Management' events on failure should be enabled or disabled as appropriate. CCE-10860-5}Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate. CCE-10523-9}Auditing of 'Account Management: Computer Account Management' events on failure should be enabled or disabled as appropriate. CCE-10240-0Auditing of 'Account Management: Distribution Group Management' events on failure should be enabled or disabled as appropriate. CCE-10201-2Auditing of 'Account Management: Distribution Group Management' events on success should be enabled or disabled as appropriate. CCE-11001-5Auditing of 'Account Management: Other Account Management Events' events on success should be enabled or disabled as appropriate. CCE-11018-9Auditing of 'Account Management: Other Account Management Events' events on failure should be enabled or disabled as appropriate. CCE-10917-3{Auditing of 'Account Management: Security Group Management' events on failure should be enabled or disabled as appropriate. CCE-10741-7{Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate. CCE-10203-8yAuditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate. CCE-10247-5yAuditing of 'Account Management: User Account Management' events on failure should be enabled or disabled as appropriate. CCE-11193-0oAuditing of 'Detailed Tracking: DPAPI Activity' events on failure should be enabled or disabled as appropriate. CCE-10761-5oAuditing of 'Detailed Tracking: DPAPI Activity' events on success should be enabled or disabled as appropriate. CCE-10514-8qAuditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate. CCE-11069-2qAuditing of 'Detailed Tracking: Process Creation' events on failure should be enabled or disabled as appropriate. CCE-11038-7tAuditing of 'Detailed Tracking: Process Termination' events on success should be enabled or disabled as appropriate. CCE-11184-9tAuditing of 'Detailed Tracking: Process Termination' events on failure should be enabled or disabled as appropriate. CCE-11061-9kAuditing of 'Detailed Tracking: RPC Events' events on failure should be enabled or disabled as appropriate. CCE-11025-4kAuditing of 'Detailed Tracking: RPC Events' events on success should be enabled or disabled as appropriate. CCE-11074-2Auditing of 'DS Access: Detailed Directory Service Replication' events on failure should be enabled or disabled as appropriate. CCE-11056-9Auditing of 'DS Access: Detailed Directory Service Replication' events on success should be enabled or disabled as appropriate. CCE-10668-2qAuditing of 'DS Access: Directory Service Access' events on success should be enabled or disabled as appropriate. CCE-10686-4qAuditing of 'DS Access: Directory Service Access' events on failure should be enabled or disabled as appropriate. CCE-11065-0rAuditing of 'DS Access: Directory Service Changes' events on failure should be enabled or disabled as appropriate. CCE-10800-1rAuditing of 'DS Access: Directory Service Changes' events on success should be enabled or disabled as appropriate. CCE-11087-4 CCE-10206-1vAuditing of 'DS Access: Directory Service Replication' events on success should be enabled or disabled as appropriate. CCE-10834-0kAuditing of 'Logon-Logoff: Account Lockout' events on success should be enabled or disabled as appropriate. CCE-10704-5kAuditing of 'Logon-Logoff: Account Lockout' events on failure should be enabled or disabled as appropriate. CCE-10961-1oAuditing of 'Logon-Logoff: IPsec Extended Mode' events on success should be enabled or disabled as appropriate. CCE-11224-3oAuditing of 'Logon-Logoff: IPsec Extended Mode' events on failure should be enabled or disabled as appropriate. CCE-10995-9kAuditing of 'Logon-Logoff: IPsec Main Mode' events on failure should be enabled or disabled as appropriate. CCE-10948-8kAuditing of 'Logon-Logoff: IPsec Main Mode' events on success should be enabled or disabled as appropriate. CCE-10999-1lAuditing of 'Logon-Logoff: IPsec Quick Mode' events on failure should be enabled or disabled as appropriate. CCE-10706-0lAuditing of 'Logon-Logoff: IPsec Quick Mode' events on success should be enabled or disabled as appropriate. CCE-11102-1bAuditing of 'Logon-Logoff: Logoff' events on success should be enabled or disabled as appropriate. CCE-11113-8bAuditing of 'Logon-Logoff: Logoff' events on failure should be enabled or disabled as appropriate. CCE-11060-1aAuditing of 'Logon-Logoff: Logon' events on failure should be enabled or disabled as appropriate. CCE-11107-0aAuditing of 'Logon-Logoff: Logon' events on success should be enabled or disabled as appropriate. CCE-10847-2qAuditing of 'Logon-Logoff: Network Policy Server' events on success should be enabled or disabled as appropriate. CCE-11064-3qAuditing of 'Logon-Logoff: Network Policy Server' events on failure should be enabled or disabled as appropriate. CCE-10869-6uAuditing of 'Logon-Logoff: Other Logon/Logoff Events' events on success should be enabled or disabled as appropriate. CCE-11179-9uAuditing of 'Logon-Logoff: Other Logon/Logoff Events' events on failure should be enabled or disabled as appropriate. CCE-11078-3iAuditing of 'Logon-Logoff: Special Logon' events on failure should be enabled or disabled as appropriate. CCE-10737-5iAuditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate. CCE-11197-1rAuditing of 'Object Access:Application Generated' events on failure should be enabled or disabled as appropriate. CCE-11111-2rAuditing of 'Object Access:Application Generated' events on success should be enabled or disabled as appropriate. CCE-10216-0sAuditing of 'Object Access:Certification Services' events on success should be enabled or disabled as appropriate. CCE-10950-4sAuditing of 'Object Access:Certification Services' events on failure should be enabled or disabled as appropriate. CCE-11100-5pAuditing of 'Object Access: Detailed File Share' events on failure should be enabled or disabled as appropriate. CCE-10391-1pAuditing of 'Object Access: Detailed File Share< ' events on success should be enabled or disabled as appropriate. CCE-11021-3gAuditing of 'Object Access:File Share' events on success should be enabled or disabled as appropriate. CCE-10589-0gAuditing of 'Object Access:File Share' events on failure should be enabled or disabled as appropriate. CCE-10263-2hAuditing of 'Object Access:File System' events on success should be enabled or disabled as appropriate. CCE-10967-8hAuditing of 'Object Access:File System' events on failure should be enabled or disabled as appropriate. CCE-10743-3zAuditing of 'Object Access:Filtering Platform Connection' events on failure should be enabled or disabled as appropriate. CCE-10285-5zAuditing of 'Object Access:Filtering Platform Connection' events on success should be enabled or disabled as appropriate. CCE-11148-4{Auditing of 'Object Access:Filtering Platform Packet Drop' events on success should be enabled or disabled as appropriate. CCE-10677-3 CCE-10959-5pAuditing of 'Object Access:Handle Manipulation' events on failure should be enabled or disabled as appropriate. CCE-10902-5pAuditing of 'Object Access:Handle Manipulation' events on success should be enabled or disabled as appropriate. CCE-10851-4jAuditing of 'Object Access:Kernel Object' events on failure should be enabled or disabled as appropriate. CCE-10220-2jAuditing of 'Object Access:Kernel Object' events on success should be enabled or disabled as appropriate. CCE-11170-8wAuditing of 'Object Access:Other Object Access Events' events on success should be enabled or disabled as appropriate. CCE-10979-3wAuditing of 'Object Access:Other Object Access Events' events on failure should be enabled or disabled as appropriate. CCE-10988-4eAuditing of 'Object Access:Registry' events on failure should be enabled or disabled as appropriate. CCE-10224-4eAuditing of 'Object Access:Registry' events on success should be enabled or disabled as appropriate. CCE-10728-4`Auditing of 'Object Access:SAM' events on failure should be enabled or disabled as appropriate. CCE-10491-9`Auditing of 'Object Access:SAM' events on success should be enabled or disabled as appropriate. CCE-10385-3pAuditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate. CCE-10119-6pAuditing of 'Policy Change: Audit Policy Change' events on failure should be enabled or disabled as appropriate. CCE-10874-6yAuditing of 'Policy Change: Authentication Policy Change' events on failure should be enabled or disabled as appropriate. CCE-11160-9yAuditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate. CCE-10132-9xAuditing of 'Policy Change: Authorization Policy Change' events on failure should be enabled or disabled as appropriate. CCE-10790-4xAuditing of 'Policy Change: Authorization Policy Change' events on success should be enabled or disabled as appropriate. CCE-11006-4}Auditing of 'Policy Change: Filtering Platform Policy Change' events on failure should be enabled or disabled as appropriate. CCE-10526-2}Auditing of 'Policy Change: Filtering Platform Policy Change' events on success should be enabled or disabled as appropriate. CCE-10530-4|Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on success should be enabled or disabled as appropriate. CCE-10189-9|Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on failure should be enabled or disabled as appropriate. CCE-11032-0wAuditing of 'Policy Change: Other Policy Change Events' events on failure should be enabled or disabled as appropriate. CCE-10680-7wAuditing of 'Policy Change: Other Policy Change Events' events on success should be enabled or disabled as appropriate. CCE-11187-2xAuditing of 'Privilege Use: Non Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate. CCE-11173-2xAuditing of 'Privilege Use: Non Sensitive Privilege Use' events on success should be enabled or disabled as appropriate. CCE-10197-2wAuditing of 'Privilege Use: Other Privilege Use Events' events on failure should be enabled or disabled as appropriate. CCE-10593-2wAuditing of 'Privilege Use: Other Privilege Use Events' events on success should be enabled or disabled as appropriate. CCE-10400-0tAuditing of 'Privilege Use: Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate. CCE-11003-1tAuditing of 'Privilege Use: Sensitive Privilege Use' events on success should be enabled or disabled as appropriate. CCE-10214-5bAuditing of 'System: IPsec Driver' events on failure should be enabled or disabled as appropriate. CCE-10390-3bAuditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate. CCE-11116-1iAuditing of 'System: Other System Events' events on failure should be enabled or disabled as appropriate. CCE-10879-5iAuditing of 'System: Other System Events' events on success should be enabled or disabled as appropriate. CCE-10892-8kAuditing of 'System: Security State Change' events on failure should be enabled or disabled as appropriate. CCE-11007-2kAuditing of 'System: Security State Change' events on success should be enabled or disabled as appropriate. CCE-11029-6oAuditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate. CCE-11169-0oAuditing of 'System: Security System Extension' events on failure should be enabled or disabled as appropriate. CCE-10884-5fAuditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate. CCE-11034-6fAuditing of 'System: System Integrity' events on success should be enabled or disabled as appropriate. CCE-11153-4 CCE-10818-3xAuditing of 'Global Object Access Auditing:File System' events on failure should be enabled or disabled as appropriate. CCE-11042-9uAuditing of 'Global Object Access Auditing:Registry' events on failure should be enabled or disabled as appropriate. CCE-10822-5uAuditing of 'Global Object Access Auditing:Registry' events on success should be enabled or disabled as appropriate. CCE-10809-2FThe "Enforce password history" setting should be configured correctly.number of passwords remembered CCE-10562-7BThe 'Maximum password age' setting should be configured correctly. CCE-10760-7BThe 'Minimum password age' setting should be configured correctly. CCE-10372-1EThe 'Minimum password length' setting should be configured correctly.number of characters CCE-10901-7PThe 'Password must meet complexity requirements' policy should be set correctly. CCE-10905-8YThe 'Store passwords using reversible encryption' setting should be configured correctly. CCE-10399-4FThe 'Account lockout duration' setting should be configured correctly. CCE-11046-0GThe 'Account lockout threshold' setting should be configured correctly.number of failed logon attempts CCE-11059-3QThe 'Reset account lockout counter after' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountLogon' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountManage' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditDSAccess' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy;< Property = Success, Failure; Where = Category='AuditLogonEvents' and precedence=1 (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditObjectAccess' and precedence=1 (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPolicyChange' and precedence=1 (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPrivilegeUse' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditProcessTracking' and precedence=1 (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit system events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditSystemEvents' and precedence=1>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTrustedCredManAccessPrivilege' and precedence=1*(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeNetworkLogonRight' and precedence=1#(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTcbPrivilege' and precedence=1|Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to a domain,(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseQuotaPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeInteractiveLogonRight' and precedence=1;(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRemoteInteractiveLogonRight' and precedence=1 (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeBackupPrivilege' and precedence=1!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeChangeNotifyPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemtimePrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTimeZonePrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreatePagefilePrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateTokenPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateGlobalPrivilege' and precedence=1+(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreatePermanentPrivilege' and precedence=1$(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateSymbolicLinkPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDebugPrivilege' and precedence=16(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyNetworkLogonRight' and precedence=1!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyBatchLogonRight' and precedence=1!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyServiceLogonRight' and precedence=1 (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyInteractiveLogonRight' and precedence=1>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyRemoteInteractiveLogonRight' and precedence=1K(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeEnableDelegationPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\Force shutdown from< a remote system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRemoteShutdownPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeAuditPrivilege' and precedence=11(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeImpersonatePrivilege' and precedence=1-(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseWorkingSetPrivilege' and precedence=1-(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseBasePriorityPrivilege' and precedence=1%(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeLoadDriverPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeLockMemoryPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeBatchLogonRight' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeServiceLogonRight' and precedence=1%(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSecurityPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRelabelPrivilege' and precedence=10(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemEnvironmentPrivilege' and precedence=1)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeManageVolumePrivilege' and precedence=1'(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeProfileSingleProcessPrivilege' and precedence=1$(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemProfilePrivilege' and precedence=1'(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Remove computer from docking station (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeUndockPrivilege' and precedence=1,(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeAssignPrimaryTokenPrivilege' and precedence=1!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRestorePrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeShutdownPrivilege' and precedence=1(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Synchronize directory service data 2(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTakeOwnershipPrivilege' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the access of global system objects (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the use of Backup and Restore privilege (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\fullprivilegeauditing<(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\scenoapplylegacyauditpolicy(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\crashonauditfail((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options< \DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user only (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict floppy access to locally logged-on user only (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Allow server operators to schedule tasks (1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: LDAP server signing requirements (1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Refuse machine account password changes (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey"(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked. (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption3(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\passwordexpirywarning!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature*(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword"(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnect(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature%(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignature(1) GPO: Computer< Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enableforcedlogoff (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon6(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting~(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting (3) WMI: Namespace = Windows XP; Class = ; Property = ; Where = (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect2(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExemptB(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreationA(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchModeSource http://blogs.technet.com/b/netro/archive/2010/08/30/tcp-ip-stack-hardening-in-operating-systems-starting-with-windows-vista.aspxD(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriodH(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissionsN(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions9(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel"(1) GPO: Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName='LSAAnonymousNameLookup' and precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\restrictnullsessaccess (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares(1) GPO: Computer Configuration\Windows Settings\Security Settings< \Local Policies\Security Options\Network access: Sharing and security model for local accounts (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity"(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec"(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec#(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Add server exceptions in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit Incoming NTLM Traffic (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: NTLM authentication in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Incoming NTLM traffic (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevel#(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\setcommand(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Clear virtual memory pagefile (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection!(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystems (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Optional subsystems (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional6(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled,(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorTokenD(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle>(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Sys< tem\ConsentPromptBehaviorAdmin&(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser+(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection+(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures7(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA((1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop/(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualizationU(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall`(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundActionb(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundActionc(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotificationsz(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcasth(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMergex(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMergeX(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewallc(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundActione(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundActionf(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications}(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcastk(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge{(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMergeU(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall`(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundActionb(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsof< t\WindowsFirewall\PublicProfile\DefaultOutboundActionc(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotificationsz(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcasth(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMergex(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Logon\Audit Credential Validation(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Logon\Audit Kerberos Authentication Service(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Logon\Audit Kerberos Service Ticket Operations(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Logon\Audit Other Account Logon Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Management\Audit Application Group Management(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Management\Audit Computer Account Management(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Management\Audit Distribution Group Management(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Management\Audit Other Account Management(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Management\Audit Security Group Management(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Account Management\Audit User Account Management(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Trackingt\Audit DPAPI Activity(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Trackingt\Audit Process Creation(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Trackingt\Audit Process Termination(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Trackingt\Audit RPC Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\DS Access\Audit Detailed Directory Service Replication(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\DS Access\Audit Directory Service Access(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\DS Access\Audit Directory Service Changes(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\DS Access\Audit Directory Service Replication(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit Account Lockout(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit IPsec Extended Mode(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit IPsec Main Mode(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit IPsec Quick Mode(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit Logoff(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit Logon(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit Network Policy Server(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit Other Logon/Logoff Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff\Audit Special Logon(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Application Generated(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Certification Services(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Policy: Object Access: Detailed File Share(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File Share(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Filtering Platform Connection(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advance< d Audit Policy Configuration\System Audit Policies\Object Access\Audit Filtering Platform Packet Drop(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Handle Manipulation(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Kernel Object(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Other Object Access Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Registry(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit SAM(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Policy Change\Audit Audit Policy Change(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Policy Changes\Audit Authentication Policy Change(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Policy Change\Audit Authorization Policy Change(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Policy Change\Audit Filtering Platform Policy Change(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Policy Change\Audit MPSSVC Rule-Level Policy Change(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Policy Changes\Audit Other Policy Change Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use\Audit Audit Non Sensitive Privilege Use(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other Privilege Use Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use\Audit Audit Sensitive Privilege Use(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit IPsec Driver(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Other System Events(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security State Change(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit System Integrity(1) Commandline: auditpol.exe (2) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Global Object Access Auditing\File System(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MaximumPasswordAge' And precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MinimumPasswordAge' And precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MinimumPasswordLength' And precedence=1)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName = 'PasswordComplexity' And precedence=1)(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName = 'ClearTextPassword' And precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='LockoutDuration' And precedence=1(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='LockoutBadCount' And precedence=1&(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='ResetLockoutCount' And precedence=1(1) Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Global Object Access Auditing\Registry4DEPRECATED: Does not apply to Windows Server 2008 r2 DEPRECATEDLDEPRECATED in favor of CCE-18889-6, CCE-18983-7, CCE-18973-8 and CCE-18808-6 MDEPRECATED In favor of CCE-18949-8, CCE-18927-4, CCE-18664-3 and CCE-18944-9  The "Best effort service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification.The "Controlled load service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification.The "Guaranteed service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification.The "Network control service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification.The "Qualitative service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that conform to the flow specification.The "Best effort service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that do not conform to the flow specification.The "Controlled load service type" Layer-3 Differentiated Services Code Point (DSCP) should be configured correctly for packets that do not conform to the flow specification.The "Guaranteed service type" Layer-3 Differentiated Services Code Point should <be configured correctly for packets that do not conform to the flow specification.The "Network control service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that do not conform to the flow specification.The "Qualitative service type" Layer-3 Differentiated Services Code Point (DSCP) value should be configured correctly for packets that do not conform to the flow specification.bThe "Best effort service type" link layer (Layer-2) priority value should be configured correctly.fThe "Controlled load service type" link layer (Layer-2) priority value should be configured correctly.aThe "Guaranteed service type" link layer (Layer-2) priority value should be configured correctly.gThe "Network control service type" link layer (Layer-2) priority value should be configured correctly.bThe "Qualitative service type" link layer (Layer-2) priority value should be configured correctly.xThe "Use forest search order" machine setting should be configured correctly for Key Distribution Center (KDC) searches.jThe "Use forest search order" machine setting should be configured correctly for Kerberos client searches.pThe "Backup log automatically when full" machine setting should be configured correctly for the application log.XThe "Log Access" machine setting should be configured correctly for the application log.[The "Log File Path" machine setting should be configured correctly for the application log.cThe "Maximum Log Size (KB)" machine setting should be configured correctly for the application log._The "Retain old events" machine setting should be configured correctly for the application log.mThe "Backup log automatically when full" machine setting should be configured correctly for the security log.UThe "Log Access" machine setting should be configured correctly for the security log.XThe "Log File Path" machine setting should be configured correctly for the security log.`The "Maximum Log Size (KB)" machine setting should be configured correctly for the secirity log.\The "Retain old events" machine setting should be configured correctly for the security log.jThe "Backup log automatically when full" machine setting should be configured correctly for the setup log.RThe "Log Access" machine setting should be configured correctly for the setup log.UThe "Log File Path" machine setting should be configured correctly for the setup log.]The "Maximum Log Size (KB)" machine setting should be configured correctly for the setup log.YThe "Retain old events" machine setting should be configured correctly for the setup log.kThe "Backup log automatically when full" machine setting should be configured correctly for the system log.RThe "Log Access" machine setting should be configured correctlyfor the system log.VThe "Log File Path" machine setting should be configured correctly for the system log.^The "Maximum Log Size (KB)" machine setting should be configured correctly for the system log.ZThe "Retain old events" machine setting should be configured correctly for the system log.eThe "Allow Basic authentication" machine setting should be configured correctly for the WinRM client.gThe "Allow CredSSP authentication" machine setting should be configured correctly for the WinRM client.dThe "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM client.kThe "Disallow Kerberos authentication" machine setting should be configured correctly for the WinRM client.lThe "Disallow Negotiate authentication" machine setting should be configured correctly for the WinRM client.fThe "Allow Basic authentication" machine setting should be configured correctly for the WinRM service.hThe "Allow CredSSP authentication" machine setting should be configured correctly for the WinRM service.eThe "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM service.lThe "Disallow Kerberos authentication" machine setting should be configured correctly for the WinRM service.mThe "Disallow Negotiate authentication" machine setting should be configured correctly for the WinRM service.vAuditing of 'DS Access: Directory Service Replication' events on failure should be enabled or disabled as appropriate.{Auditing of 'Object Access:Filtering Platform Packet Drop' events on failure should be enabled or disabled as appropriate.xAuditing of 'Global Object Access Auditing:File System' events on success should be enabled or disabled as appropriate.wThe 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' setting should be configured correctly.(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit NTLM authentication in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomainUDisabled/Detection and Troubleshooting Only/Detection, Troubleshooting and ResolutionThe Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Fault Tolerant Heap .The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Boot Performance Diagnostics.The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Memory Leak Diagnosis.The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Resource Exhaustion Detection and Resolution.The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Shutdown Performance Diagnostics.The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Standby/Resume Performance Diagnostics.The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows System Responsiveness Diagnostics.The Remote Desktop Connection Client "Configure server authentication for client" machine setting should be configured correctly.sAlways connect, even if authentication fails/Warn me if authentication fails/Do not connect if authentication failsLast modified: 2012-03-13Version: 5.20120314tDisable/Enable for domain accounts to domain servers/Enable for domain accounts/Enable for domain servers/Enable all/ t8~ ERp]jve Te Du_s '3?ikJUjU0`ll2w3O5M l& V;qN ASE Ww"e-n88/DOT_Z dWap{h $ j ~ rUVu #i[^P[)' ++6ANLY{dp/| hi} ui &RH<2 l6'G06;,ARUGL{SGY `s g4anKt} B<:X A_<6һ' <QZxz IccB f2ɀ p$L(4AlN4[gtTt<\$'|4@"LW2cny P  dMbP?_*+%,&ffffff?'ffffff?(?)?",B333333?333333?ke&<3U} B} D} D} 2D} G} #K}  B} $ Bp  , F      M( M) E E E E H JS C D DT DI L C D DT D I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C D DT D I L C D DT D  I L C! D" DT D# I L C$ D% DT D& I L C' D( DT D)I L C* D+ DT D,I L C- D. DT D/I L C0 D1 DT D2I L C3 D4 DT D5I L C6 D7 DT D8I L C9 D: DT D;I L C< D= DT D>I L C? D@ DT DAI L CB DC DT DDI L CE DF DT DGI L CH DI DT DJI L CK DL DT DMI L CN DO DT DPI L CQ D DT DRI L CS D DT DTI L CU DV DT DWI L CX DY DT DZI LD lTPPPPPPPPPPPPPPPPPPPPPPPPPPPP !"#$%&'()*+,-./0123456789:;<=>? C[ D\ DT D] I L !C^ !D !DT !D_!I !L "C` "D "DT "Da"I "L #Cb #Dc #DT #Dd#I #L $Ce $Df $DT $Dg$I $L %Ch %Di %DT %Dj%I %L &Ck &Dl &DT &Dm&I &L 'Cn 'Do 'DT 'Dp'I 'L (Cq (Dr (DT (Ds(I (L )Ct )Du )DT )Dv)I )L *Cw *Dx *DT *Dy*I *L +Cz +D{ +DT +D|+I +L ,C} ,D~ ,DT ,D,I ,L -C -D -DT -D-I -L .C .D .DT .D.I .L /C /D /DT /D/I /L 0C 0D 0DT 0D0I 0L 1C 1D 1DT 1D1I 1L 2C 2D 2DT 2D2I 2L 3C 3D 3DT 3D3I 3L 4C 4D 4DT 4D4I 4L 5C 5D 5DT 5D5I 5L 6C 6D 6DT 6D6I 6L 7C 7D 7DT 7D7I 7L 8C 8D 8DT 8D8I 8L 9C 9D 9DT 9D9I 9L :C :D :DT :D:I :L ;C ;D ;DT ;D;I ;L <C <D <DT <D<I <L =C =D =DT =D=I =L >C >D >DT >D>I >L ?C ?D ?DT ?D?I ?LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @C @D @DT @D@I @L AC AD ADT ADAI AL BC BD BDT BDBI BL CC CD CDT CDCI CL DC DD DDT DDDI DL EC ED EDT EDEI EL FC FD FDT FDFI FL GC GD GDT GDGI GL HC HD HDT HDHI HL IC ID IDT IDII IL JC JD JDT JDJI JL KC KD KDT KDKI KL LC LD LDT LDLI LL MC MD MDT MDMI ML NC ND NDT NDNI NL OC OD ODT ODOI OL PC PD PDT PDPI PL QC QD QDT QDQI QL RC RD RDT RDRI RL SC SD SDT SDSI SL TC TD TDT TDTI TL UC UD UDT UDUI UL VC VD VDT VDVI VL WC WD WDT WDWI WL XC XD XDT XDXI XL YC YD YDT YDYI YL ZC ZD ZDT ZDZI ZL [C [D  [DT [D [I [L \C  \D  \DT \D \I \L ]C ]D ]DT ]D]I ]L ^C ^D ^DT ^D^I ^L _C _D _DT _D_I _LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP`abcdefghijklmnopqrstuvwxyz{|}~ `C `D `DT `D`I `L aC aD aDT aDaI aL bC bD bDT bDbI bL cC cD cDT cDcI cL dC dD dDT dD dI dL eC! eD eDT eD"eI eL fC# fD fDT fD$fI fL gC% gD& gDT gD'gI gL hC( hD) hDT hD*hI hL iC+ iD, iDT iD-iI iL jC. jD/ jDT jD0jI jL kC1 kD2 kDT kD3kI kL lC4 lD5 lDT lD6lI lL mC7 mD8 mDT mD9mI mL nC: nD; nDT nD<nI nL oC= oD> oDT oD?oI oL pC@ pDA pDT pDBpI pL qCC qDD qDT qDEqI qL rCF rDG rDT rDHrI rL sCI sDJ sDT sDKsI sL tCL tDM tDT tDNtI tL uCO uDP uDT uDQuI uL vCR vDS vDT vDTvI vL wCU wDV wDT wDWwI wL xCX xDY xDT xDZxI xL yC[ yD\ yDT yD]yI yL zC^ zD_ zDT zD`zI zL {Ca {Db {DT {Dc{I {L |Cd |De |DT |Df|I |L }Cg }Dh }DT }Di}I }L ~Cj ~Dk ~DT ~Dl~I ~L Cm Dn DT DoI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Cp Dq DT DrI L Cs Dt DT DuI L Cv Dw DT DxI L Cy Dz DT D{I L C| D} DT D~I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D D DI L C D! DT DI L C D" D DI L C D# D DI L C D$ D DI L C D% D DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C D DT DI L C D DT DI L C D& D' DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C  D  DT D I L C  D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D  DT D!I L C" D# DT D$I LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C% D& DT D'I L C( D) DT D*I L C+ D, DT D-I L C. D/ DT D0I L C1 D2 DT D3I L C4 D5 DT D6I L C7 D8 DT D9I L C: D; DT D<I L C= D> DT D?I L C@ DA DT DBI L CC DD DT DEI L CF DG DT DHI L CI DJ DT DKI L CL DM DT DNI L CO DP DT DQI L CR DS DT DTI L CU DV DT DWI L CX DY DT DZI L C[ D\ DT D]I L C^ D_ DT D`I L Ca Db DT DcI L Cd De DT DfI L Cg Dh DT DiI L Cj Dk DT DlI L Cm Dn DT DoI L Cp Dq DT DrI L Cs Dt DT DuI L Cv Dw DT DxI L Cy Dz DT D{I L C| D} DT D~I L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP      C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D  DT D  I L C  D  DT D I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C  D! DT D"I L C# D$ DT D%I L C& D' DT D(I L C) D* DT D+I L C, D- DT D.I L C/ D0 DT D1I L C2 D3 DT D4I L C5 D6 DT D7I L C8 D9 DT D:I L C; D< DT D=I L C> D? DT D@I LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP !"#$%&'()*+,-./0123456789:;<=>? CA DB DT DC I L !CD !DE !DT !DF!I !L "CG "DH "DT "DI"I "L #CJ #DK #DT #DL#I #L $CM $DN $DT $DO$I $L %CP %DQ %DT %DR%I %L &CS &DT &DT &DU&I &L 'CV 'DW 'DT 'DX'I 'L (CY (DZ (DT (D[(I (L )C\ )D] )DT )D^)I )L *C_ *D` *DT *Da*I *L +Cb +Dc +DT +Dd+I +L ,Ce ,Df ,DT ,Dg,I ,L -Ch -Di -DT -Dj-I -L .Ck .Dl .DT .Dm.I .L /Cn /Do /DT /Dp/I /L 0Cq 0Dr 0DT 0Ds0I 0L 1Ct 1Du 1DT 1Dv1I 1L 2Cw 2Dx 2DT 2Dy2I 2L 3Cz 3D{ 3DT 3D|3I 3L 4C} 4D~ 4DT 4D4I 4L 5C 5D 5DT 5D5I 5L 6C 6D 6DT 6D6I 6L 7C 7D 7DT 7D7I 7L 8C 8D 8DT 8D8I 8L 9C 9D 9DT 9D9I 9L :C :D :DT :D:I :L ;C ;D ;DT ;D;I ;L <C <D <DT <D<I <L =C =D =DT =D=I =L >C >D >DT >D>I >L ?C ?D ?DT ?D?I ?LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @C @D @DT @D@I @L AC AD ADT ADAI AL BC BD BDT BDBI BL CC CD CDT CDCI CL DC DD DDT DDDI DL EC ED EDT EDEI EL FC FD FDT FDFI FL GC GD GDT GDGI GL HC HD HDT HDHI HL IC ID IDT IDII IL JC JD JDT JDJI JL KC KD KDT KDKI KL LC LD LDT LDLI LL MC MD MDT MDMI ML NC ND NDT NDNI NL OC OD ODT ODOI OL PC PD PDT PDPI PL QC QD QDT QDQI QL RC RD RDT RDRI RL SC SD SDT SDSI SL TC TD TDT TDTI TL UC UD UDT UDUI UL VC VD VDT VDVI VL WC WD WDT WDWI WL XC XD XDT XDXI XL YC YD YDT YDYI YL ZC ZD ZDT ZDZI ZL [C [D [DT [D[I [L \C \D \DT \D\I \L ]C ]D ]DT ]D]I ]L ^C ^D ^DT ^D^I ^L _C _D _DT _D_I _LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP`abcdefghijklmnopqrstuvwxyz{|}~ `C `D `DT `D`I `L aC aD aDT aDaI aL bC bD bDT bD bI bL cC  cD  cDT cD cI cL dC  dD dDT dDdI dL eC eD eDT eDeI eL fC fD fDT fDfI fL gC gD gDT gDgI gL hC hD hDT hDhI hL iC iD iDT iDiI iL jC jD jDT jDjI jL kC kD  kDT kD!kI kL lC" lD# lDT lD$lI lL mC% mD& mDT mD'mI mL nC( nD) nDT nD*nI nL oC+ oD, oDT oD-oI oL pC. pD/ pDT pD0pI pL qC1 qD2 qDT qD3qI qL rC4 rD5 rDT rD6rI rL sC7 sD8 sDT sD9sI sL tC: tD; tDT tD<tI tL uC= uD> uDT uD?uI uL vC@ vDA vDT vDBvI vL wCC wDD wDT wDEwI wL xCF xDG xDT xDHxI xL yCI yDJ yDT yDKyI yL zCL zDM zDT zDNzI zL {CO {DP {DT {DQ{I {L |CR |DS |DT |DT|I |L }CU }DV }DT }DW}I }L ~CX ~DY ~DT ~DZ~I ~L C[ D\ DT D]I LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C^ D_ DT D`I L Ca Db DT DcI L Cd De DT DfI L Cg Dh DT DiI L Cj Dk DT DlI L Cm Dn DT DoI L Cp Dq DT DrI L Cs Dt DT DuI L Cv Dw DT DxI L Cy Dz DT D{I L C| D} DT D~I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C  D  DT D I L C  D  DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C! D" DT D#I L C$ D% DT D&I L C' D( DT D)I L C* D+ DT D,I L C- D. DT D/I L C0 D1 DT D2I L C3 D4 DT D5I L C6 D7 DT D8I L C9 D: DT D;I L C< D= DT D>I L C? D@ DT DAI L CB DC DT DDI L CE DF DT DGI L CH DI DT DJI L CK DL DT DMI L CN DO DT DPI L CQ DR DT DSI L CT DU DT DVI L CW DX DT DYI L CZ D[ DT D\I L C] D^ DT D_I L C` Da DT DbI L Cc Dd DT DeI L Cf Dg DT DhI L Ci Dj DT DkI L Cl Dm DT DnI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Co Dp DT DqI L Cr Ds DT DtI L Cu Dv DT DwI L Cx Dy DT DzI L C{ D| DT D}I L C~ D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP      C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D  DT D I L C  D  DT D I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C  D! DT D"I L C# D$ DT D%I L C& D' DT D(I L C) D* DT D+I LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP !"#$%&'()*+,-./0123456789:;<=>? C, D- DT D. I L !C/ !D0 !DT !D1!I !L "C2 "D3 "DT "D4"I "L #C5 #D6 #DT #D7#I #L $C8 $D9 $DT $D:$I $L %C; %D< %DT %D=%I %L &C> &D &DT &D?&I &L 'C@ 'D 'DT 'DA'I 'L (CB (D (DT (DC(I (L )CD )D )DT )DE)I )L *CF *DG *DT *DH*I *L +CI +DJ +DT +DK+I +L ,CL ,DM ,DT ,DN,I ,L -CO -DP -DT -DQ-I -L .CR .DS .DT .DT.I .L /CU /DV /DT /DW/I /L 0CX 0DY 0DT 0DZ0I 0L 1C[ 1D\ 1DT 1D]1I 1L 2C^ 2D_ 2DT 2D`2I 2L 3Ca 3Db 3DT 3Dc3I 3L 4Cd 4De 4DT 4Df4I 4L 5Cg 5Dh 5DT 5Di5I 5L 6Cj 6Dk 6DT 6Dl6I 6L 7Cm 7Dn 7DT 7Do7I 7L 8Cp 8Dq 8DT 8Dr8I 8L 9Cs 9Dt 9DT 9Du9I 9L :Cv :Dw :DT :Dx:I :L ;Cy ;Dz ;DT ;D{;I ;L <C| <D} <DT <D~<I <L =C =D =DT =D=I =L >C >D >DT >D>I >L ?C ?D ?DT ?D?I ?LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @C @D @DT @D@I @L AC AD ADT ADAI AL BC BD BDT BDBI BL CC CD CDT CDCI CL DC DD DDT DDDI DL EC ED EDT EDEI EL FC FD FDT FDFI FL GC GD GDT GDGI GL HC HD HDT HDHI HL IC ID IDT IDII IL JC JD JDT JDJI JL KC KD KDT KDKI KL LC LD LDT LDLI LL MC MD MDT MDMI ML NC ND NDT NDNI NL OC OD ODT ODOI OL PC PD PDT PDPI PL QC QD QDT QDQI QL RC RD RDT RDRI RL SC SD SDT SDSI SL TC TD TDT TDTI TL UC UD UDT UDUI UL VC VD VDT VDVI VL WC WD WDT WDWI WL XC XD XDT XDXI XL YC YD YDT YDYI YL ZC ZD ZDT ZDZI ZL [C [D [DT [D[I [L \C \D \DT \D\I \L ]C ]D ]DT ]D]I ]L ^C ^D ^DT ^D^I ^L _C _D _DT _D_I _LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP`abcdefghijklmnopqrstuvwxyz{|}~ `C `D `DT `D`I `L aC aD aDT aDaI aL bC bD bDT bDbI bL cC cD cDT cDcI cL dC dD dDT dDdI dL eC eD eDT eDeI eL fC fD fDT fDfI fL gC gD gDT gDgI gL hC hD hDT hDhI hL iC iD iDT iDiI iL jC jD jDT jDjI jL kC  kD  kDT kD kI kL lC  lD  lDT lDlI lL mC mD mDT mDmI mL nC nD nDT nDnI nL oC oD oDT oDoI oL pC pD pDT pDpI pL qC qD qDT qDqI qL rC rD rDT rD rI rL sC! sD" sDT sD#sI sL tC$ tD% tDT tD&tI tL uC' uD( uDT uD)uI uL vC* vD+ vDT vD,vI vL wC- wD. wDT wD/wI wL xC0 xD1 xDT xD2xI xL yC3 yD4 yDT yD5yI yL zC6 zD7 zDT zD8zI zL {C9 {D: {DT {D;{I {L |C< |D= |DT |D>|I |L }C? }D@ }DT }DA}I }L ~CB ~DC ~DT ~DD~I ~L CE DF DT DGI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP  CH DI DT DJI L CK DL DT DMI L CN DO DT DPI L CQ DR DT DSI L CT DU DT DVI L CW DX DT DYI L CZ D[ DT D\I L C] D^ DT D_I L C` Da DT DbI L Cc Dd DT DeI L Cf Dg DT DhI L Ci Dj DT DkI L Cl Dm DT DnI L Co Dp DT DqI L Cr Ds DT DtI L Cu Dv DT DwI L Cx Dy DT DzI L C{ D| DT D}I L C~ D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP C D  DT D I L C  D  DT D I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C  D! DT D"I L C# D$ DT D%I L C& D' DT D(I L C) D* DT D+I L C, D- DT D.I L C/ D0 DT D1I L C2 D3 DT D4I L C5 D6 DT D7I L C8 D9 DT D:I L C; D< DT D=I L C> D? DT D@I L CA DB DT DCI L CD DE DT DFI L CG DH DT DII L CJ DK DT DLI L CM DN DT DOI L CP DQ DT DRI L CS DT DT DUI L CV DW DT DXI L CY DZ DT D[I L C\ D] DT D^I L C_ D` DT DaI L Cb Dc DT DdI L Ce Df DT DgI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Ch Di DT DjI L Ck Dl DT DmI L Cn Do DT DpI L Cq Dr DT DsI L Ct Du DT DvI L Cw Dx DT DyI L Cz D{ DT D|I L C} D~ DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP      C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT DI L C D DT DI L C D DT DI L C D DT DI L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D DT D I L C D! DT D" I L C# D$ DT D% I LD lPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP !"#$%&'()*+,-./0123456789:;<=>? C& D' DT D(  I L !C) !D* !DT !D+ !I !L "C, "D- "DT "D. "I "L #C/ #D0 #DT #D1 #I #L $C2 $D3 $DT $D4 $I $L %C5 %D6 %DT %D7 %I %L &C8 &D9 &DT &D: &I &L 'C; 'D< 'DT 'D= 'I 'L (C> (D? (DT (D@ (I (L )CA )DB )DT )DC )I )L *CD *DE *DT *DF *I *L +CG +DH +DT +DI +I +L ,CJ ,DK ,DT ,DL ,I ,L -CM -DN -DT -DO -I -L .CP .DQ .DT .DR .I .L /NU /DV /DT /D /L 0NW 0DX 0DT 0D 0L 1NY 1DZ 1DT 1D 1L 2N[ 2D\ 2DT 2D 2L 3N] 3D^ 3DT 3D 3L 4N_ 4D` 4DT 4D 4L 5Na 5Db 5DT 5D 5L 6Nc 6Dd 6DT 6D 6L 7Ne 7Df 7DT 7D 7L 8Ng 8Dh 8DT 8D 8L 9Ni 9Dj 9DT 9D 9L :Nk :Dl :DT :D :L ;Nm ;Dn ;DT ;D ;L <No <Dp <DT <D <L =Nq =Dr =DT =D =L >Ns >Dt >DT >D >L ?Nu ?Dv ?DT ?D ?LD lPPPPPPPPPPPPPPPFFFFFFFFFFFFFFFF@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @Nw @Dx @DT @D @L ANy ADz AD{ AD AL BN| BD} BD{ BD BL CN~ CD CD{ CD CL DN DD DD{ DD DL EN ED ED{ ED EL FN FD FD{ FD FL GN GD GD{ GD GL HN HD HD{ HD HL IN ID ID{ ID IL JN JD JD{ JD JL KN KD KD{ KD KL LN LD LD{ LD LL MN MD MD{ MD ML NN ND ND{ ND NL ON OD OD{ OD OL PN PD PD{ PD PL QN QD QD{ QD QL RN RD RD{ RD RL SN SD SD{ SD SL TN TD TD{ TD TL UN UD UD{ UD UL VN VD VD{ VD VL WN WD WD{ WD WL XN XD XD{ XD XL YN YD YD{ YD YL ZN ZD ZD{ ZD ZL [N [D [D{ [D [L \N \D \D{ \D \L ]N ]D ]D{ ]D ]L ^N ^D ^D{ ^D ^L _N _D _D{ _D _LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF`abcdefghijklmnopqrstuvwxyz{|}~ `N `D `D{ `D `L aN aD aD{ aD aL bN bD bD{ bD bL cN cD cD{ cD cL dN dD dD{ dD dL eN eD eD{ eD eL fN fD fD{ fD fL gN gD gD{ gD! gL hN hD hD{ hD" hL iN iD iD{ iD# iL jN jD jD{ jD$ jL kN kD kD kD% kL lN lD lD{ lD& lL mN mD mDT mD' mL nN nD nDT nD( nL oN oD oD oD) oL pN pD pD pD* pL qN qD qD qD+ qL rN rD rDT rD, rL sN sD sDT sD- sL tN tD tD tD. tL uN uD uDT uD/ uL vN vD vD vD0 vL wN wD wD wD1 wL xN xD xDT xD2 xL yN yD yD yD3 yL zN zD zD zD4 zL {N {D {DT {D5 {L |N |D |DT |D6 |L }N }D }DT }D7 }L ~N ~D ~D ~D8 ~L N D D D9 LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF  N D D D: L N D D D; L N D D D< L N D DT D= L N D D D> L N D D D? L N D DT D@ L N D D DA L N D DT DB L N D D DC L N D D DD L N D D DE L N D D DF L N D D DG L N D! DT DH L N" D# D$ DI L N% D& D DJ L N' D( D DK L N) D* DT DL L N+ D, D- DM L N. D/ D DN L N0 D1 D DO L N2 D3 D DP L N4 D5 D6 DQ L N7 D8 DT DR L N9 D: D; DS L N< D= D; DT L N> D? DT DU L N@ DA D DV L NB DC DD DW L NE DF DG DX L NH DI D DY LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF     NJ DK D DZ L NL DM DN D[ L NO DP DT D\ L NQ D L NR DS DT D^ L NU D D] L NV DW DX D_ L NY DZ DX D` L N[ D\ D] Da L N^ D_ DT Db L N` Da D Dc L Nb Dc D Dd L Nd De DT De L Nf Dg DT Df L Nh Di Dj Dg L Nk Dl Dm Dh L Nn Do Dm Di L Np Dq DT Dj L Nr Ds Dt Dk L Nu Dv Dw Dl L Nx Dy DT Dm L Nz D{ D Dn L N| D} DT Do L N~ D DT Dp L N D D Dq L N D DT Dr L N D D Ds L N D D Dt L N D Du L N D DT Du L N D DT Du L N D DT Du LD lFFF*F8FFFFFFFFFFFFFFFFFFFFFF8FF        N D DT Du L N D Dv L N D DT Dv L N D DT Dv L N D DT Dv L N D DT Dv L N D D Dw L N D D Dx L N D DT Dy L N D D* D L N D D D{ L N D D Dz L N D D D| L N D DT D} L N D DT D~ L N D DT D L N D DT D L N D DT D L N D D D L N D D D L N D D D L N D D D L N D DT D L N D D D L N D DT D L N D D D L N D D D L N D D D L N D DT D L N D D D L N D D D L N D D D LD2 lF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFF        N D D D L N D DT D L N D D D L N D D D L N D DT D L N D DT D L N D D D L N D D D L N D DT D L N D D D L N D D D L N D DT D L N D DT D L N D D D L N D D D L N D DT D L N D D D L N D D D L N D DT D L N D DT D L N D D D L N D D D L N D DT D L N D DT D L N D DT D L N D DT D L N D DT D L N D DT D L N D DT D L N D DT D L N D DT D L N D DT D LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF      N D DT D L N D DT D L N D DT D L N D DT D L N D! DT D L N" D# DT D L N$ D% DT D L N& D' DT D L N( D) DT D L N* D+ DT D L N, D- DT D L N. D/ DT D L N0 D1 DT D L N2 D3 DT D L N4 D5 DT D L N6 D7 DT D L N8 D9 DT D L N: D; DT D L N< D= DT D L N> D? DT D L N@ DA DT D L NB DC DT D L ND DE DT D L NF DG DT D L NH D DT D L NI DJ DT D L NK DL DT D L NM DN DT D L NO DP DT D L NQ DR DT D L NS DT DT D L NU DV DT D LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF !"#$%&'()*+,-./0123456789:;<=>? NW DX DT D L !NY !DZ !DT !D !L "N[ "D\ "DT "D "L #N] #D^ #DT #D #L $N_ $D` $DT $D $L %Na %Db %DT %D %L &Nc &Dd &DT &D &L 'Ne 'Df 'DT 'D 'L (Ng (Dh (DT (D (L )Ni )Dj )DT )D )L *Nk *Dl *DT *D *L +Nm +Dn +DT +D +L ,No ,Dp ,DT ,D ,L -Nq -Dr -DT -D -L .Ns .Dt .DT .D .L /Nu /Dv /DT /D /L 0Nw 0Dx 0DT 0D 0L 1Ny 1Dz 1DT 1D 1L 2N{ 2D| 2DT 2D 2L 3N} 3D~ 3DT 3D 3L 4N 4D 4DT 4D 4L 5N 5D 5DT 5D 5L 6N 6D 6DT 6D 6L 7N 7D 7DT 7D 7L 8N 8D 8DT 8D 8L 9N 9D 9DT 9D 9L :N :D :DT :D :L ;N ;D ;DT ;D ;L <N <D <DT <D <L =N =D =DT =D =L >N >D >DT >D >L ?N ?D ?DT ?D ?LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @N @D @DT @D @L AN AD ADT AD AL BN BD BDT BD BL CN CD CDT CD CL DN DD DDT DD DL EN ED EDT ED EL FN FD FDT FD FL GN GD GDT GD GL HN HD HDT HD HL IN ID IDT ID IL JN JD JDT JD JL KN KD KDT KD KL LN LD LDT LD LL MN MD MDT MD ML NN ND NDT ND NL ON OD ODT OD OL PN PD PDT PD PL QN QD QDT QD QL RN RD RDT RD RL SN SD SDT SD SL TN TD TDT TD TL UN UD UDT UD UL VN VD VDT VD VL WN WD WDT WD WL XN XD XDT XD XL YN YD YDT YD YL ZN ZD ZDT ZD ZL [N [D [DT [D [L \N \D \DT \D \L ]N ]D ]DT ]D ]L ^N ^D ^DT ^D ^L _N _D _DT _D _LD@ lFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF`abcdefghijklm,n,o, `N `D `DT `D `L aN aD aDT aD aL bN bD bDT bD bL cN cD cDT cD cL dN dD dD dD dL eN eD eD eD eL fN fD fD fD fL gN gD gD gD gL hN hD hD hD hL iN iD iDT iD iL jN jD jD- jD jL kN kD kD kD kL lN lD lD- lD lLmLnLoL$,FFFFFFFFFFFFF >@LJA  Sheet1ggD Oh+'0@H\x  Apache POIMatthew N. Wojcik Apache POI@c@[@S ce՜.+,0HP X`hp x   win2k8r2  Worksheets  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F &pWorkbook(SummaryInformation(DocumentSummaryInformation8