;The required legal notice must be configured to display before console logon.
;CCE-25355-9:
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LegalNoticeText
SZ:You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

;Solicited Remote Assistance must not be allowed
;CCE-25590-1:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fAllowToGetHelp
DWORD:0

;The system must be configured to prevent the storage of passwords and credentials
;CCE-23358-5:
Computer
System\CurrentControlSet\Control\Lsa
DisableDomainCreds
DWORD:1

;The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
;CCE-23921-0:
Computer
System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
Enabled
DWORD:1

;Remote Desktop Services must limit users to one remote session
;CCE-23328-8:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fSingleSessionPerUser
DWORD:1

;Remote Desktop Services must always prompt a client for passwords upon connection
;CCE-25016-7:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fPromptForPassword
DWORD:1

;Remote Desktop Services must be configured with the client connection encryption set to the required level
;CCE-24932-6:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
MinEncryptionLevel
DWORD:3

;Remote Desktop Services must be configured to use session-specific temporary folders
;CCE-24042-4:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
PerSessionTempDir
DWORD:1

;Remote Desktop Services must delete temporary folders when a session is terminated
;CCE-24304-8:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
DeleteTempDirsOnExit
DWORD:1

;Remote Desktop Services must be configured to set a time limit for disconnected sessions
;'Set time limit for disconnected sessions' is set to 'Enabled' and 'End a disconnected session' is set to '1 minute'
;CCE-24797-3:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
MaxDisconnectionTime
DWORD:60000

;Remote Desktop Services must be configured to disconnect an idle session after the specified time period
;'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled'; 'Idle session limit' is set to 15 minutes or less
;CCE-24325-3:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
MaxIdleTime
DWORD:900000

;The system must be configured to prevent unsolicited remote assistance offers
;CCE-23282-7:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited
DWORD:0

;The system must be configured to prevent automatic forwarding of error information
;CCE-25194-2:
Computer
Software\Policies\Microsoft\PCHealth\ErrorReporting
DoReport
DWORD:0

;Windows Media Player must be configured to prevent automatic checking for updates
;CCE-24250-3:
Computer
SOFTWARE\Policies\Microsoft\WindowsMediaPlayer
DisableAutoUpdate
DWORD:1

;The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes
;CCE-24977-1:
Computer
System\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirect
DWORD:0

;The system must be configured to disable the Internet Router Discovery Protocol (IRDP)
;CCE-23677-8:
Computer
System\CurrentControlSet\Services\Tcpip\Parameters
PerformRouterDiscovery
DWORD:0

;The system must be configured to limit how often keep-alive packets are sent
;'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to '300000 or 5 minutes (recommended)' or less
;CCE-24310-5:
Computer
System\CurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime
DWORD:300000

;The system must be configured to ignore NetBIOS name release requests except from WINS servers
;CCE-23715-6:
Computer
System\CurrentControlSet\Services\Netbt\Parameters
NoNameReleaseOnDemand
DWORD:1

;The system must limit how many times unacknowledged TCP data is retransmitted
;'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is the default)' is set to 3 or less
;CCE-25455-7:
Computer
System\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxDataRetransmissions
DWORD:3

;The Remote Desktop Session Host must require secure RPC communications
;CCE-24788-2:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fEncryptRPCTraffic
DWORD:1

;Group Policy objects must be reprocessed even if they have not changed
;CCE-24992-0_1:
Computer
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
NoBackgroundPolicy
DWORD:0
;CCE-24992-0_2:
Computer
Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
NoGPOListChanges
DWORD:0

;IPSec Exemptions must be limited
;'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic' is set to 'Only ISAKMP is exempt (recommended for Windows Server 2003)'
;CCE-24253-7:
Computer
System\CurrentControlSet\Services\IPSEC
NoDefaultExempt
DWORD:3

;The system must require username and password to elevate a running application
;CCE-24805-4:
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI
EnumerateAdministrators
DWORD:0

;Passwords must not be saved in the Remote Desktop Client
;CCE-23787-5:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
DisablePasswordSaving
DWORD:1

;Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role)
;CCE-24648-8:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fDisableCdm
DWORD:1

;Unauthenticated RPC clients must be restricted from connecting to the RPC server
;CCE-24152-1:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Rpc
RestrictRemoteClients
DWORD:1

;Client computers must be required to authenticate for RPC communication
;CCE-25397-1:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Rpc
EnableAuthEpResolution
DWORD:1

;Printing over HTTP must be prevented
;CCE-24832-8:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Printers
DisableHTTPPrinting
DWORD:1

;Downloading print driver packages over HTTP must be prevented
;CCE-24854-2:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Printers
DisableWebPnPDownload
DWORD:1

;Windows must be prevented from using Windows Update to search for drivers
;CCE-24071-3:
Computer
SOFTWARE\Policies\Microsoft\Windows\DriverSearching
DontSearchWindowsUpdate
DWORD:1

;Windows Peer-to-Peer networking services must be turned off
;CCE-24398-0:
Computer
SOFTWARE\Policies\Microsoft\Peernet
Disabled
DWORD:1

;Network Bridges must be prohibited in Windows
;CCE-25587-7:
Computer
SOFTWARE\Policies\Microsoft\Windows\Network Connections
NC_AllowNetBridge_NLA
DWORD:0

;Root Certificates must not be updated automatically from the Microsoft site
;CCE-25028-2:
Computer
SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
DisableRootAutoUpdate
DWORD:1

;Event Viewer Events.asp links must be turned off
;CCE-24235-4:
Computer
SOFTWARE\Policies\Microsoft\EventViewer
MicrosoftEventVwrDisableLinks
DWORD:1

;The Internet File Association service must be turned off
;CCE-24899-7:
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoInternetOpenWith
DWORD:1

;The classic logon screen must be required for user logons
;CCE-23460-9:
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LogonType
DWORD:0

;File Explorer shell protocol must run in protected mode
;CCE-23923-6:
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
PreXPSP2ShellProtocolBehavior
DWORD:0

;Users must be notified if a web-based program attempts to install software
;CCE-23886-5:
Computer
SOFTWARE\Policies\Microsoft\Windows\Installer
SafeForScripting
DWORD:0

;Users must be prevented from changing installation options
;CCE-23712-3:
Computer
SOFTWARE\Policies\Microsoft\Windows\Installer
EnableUserControl
DWORD:0

;Nonadministrators must be prevented from applying vendor-signed updates
;CCE-23601-8:
Computer
SOFTWARE\Policies\Microsoft\Windows\Installer
DisableLUAPatching
DWORD:1

;Users must not be presented with Privacy and Installation options on first use of Windows Media Player
;CCE-25014-2:
Computer
Software\Policies\Microsoft\WindowsMediaPlayer
GroupPrivacyAcceptance
DWORD:1

;The Mapper I/O network protocol (LLTDIO) driver must be disabled
;CCE-25156-1_1:
Computer
Software\Policies\Microsoft\Windows\LLTD
AllowLLTDIOOnDomain
DWORD:0
;CCE-25156-1_2:
Computer
Software\Policies\Microsoft\Windows\LLTD
AllowLLTDIOOnPublicNet
DWORD:0
;CCE-25156-1_3:
Computer
Software\Policies\Microsoft\Windows\LLTD
EnableLLTDIO
DWORD:0
;CCE-25156-1_4:
Computer
Software\Policies\Microsoft\Windows\LLTD
ProhibitLLTDIOOnPrivateNet
DWORD:0

;The Responder network protocol driver must be disabled
;CCE-23931-9_1:
Computer
Software\Policies\Microsoft\Windows\LLTD
AllowRspndrOnDomain
DWORD:0
;CCE-23931-9_2:
Computer
Software\Policies\Microsoft\Windows\LLTD
AllowRspndrOnPublicNet
DWORD:0
;CCE-23931-9_3:
Computer
Software\Policies\Microsoft\Windows\LLTD
EnableRspndr
DWORD:0
;CCE-23931-9_4:
Computer
Software\Policies\Microsoft\Windows\LLTD
ProhibitRspndrOnPrivateNet
DWORD:0

;The configuration of wireless devices using Windows Connect Now must be disabled
;CCE-23804-8_1:
Computer
Software\Policies\Microsoft\Windows\WCN\Registrars
DisableInBand802DOT11Registrar
DWORD:0
;CCE-23804-8_2:
Computer
Software\Policies\Microsoft\Windows\WCN\Registrars
DisableFlashConfigRegistrar
DWORD:0
;CCE-23804-8_3:
Computer
Software\Policies\Microsoft\Windows\WCN\Registrars
DisableUPnPRegistrar
DWORD:0
;CCE-23804-8_4:
Computer
Software\Policies\Microsoft\Windows\WCN\Registrars
DisableWPDRegistrar
DWORD:0
;CCE-23804-8_5:
Computer
Software\Policies\Microsoft\Windows\WCN\Registrars
EnableRegistrars
DWORD:0

;The Windows Connect Now wizards must be disabled
;CCE-24665-2:
Computer
Software\Policies\Microsoft\Windows\WCN\UI
DisableWcnUi
DWORD:1

;Remote access to the Plug and Play interface must be disabled for device installation
;CCE-24004-4:
Computer
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
AllowRemoteRPC
DWORD:0

;A system restore point must be created when a new device driver is installed
;CCE-23669-5:
Computer
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
DisableSystemRestore
DWORD:0

;An Error Report must not be sent when a generic device driver is installed
;CCE-23275-1:
Computer
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
DisableSendGenericDriverNotFoundToWER
DWORD:1

;Users must not be prompted to search Windows Update for device drivers
;CCE-24804-7:
Computer
Software\Policies\Microsoft\Windows\DriverSearching
DontPromptForWindowsUpdate
DWORD:1

;Errors in handwriting recognition on tablet PCs must not be reported to Microsoft
;CCE-25580-2:
Computer
Software\Policies\Microsoft\Windows\HandwritingErrorReports
PreventHandwritingErrorReports
DWORD:1

;Users must be prompted to authenticate on resume from sleep (on battery)
;CCE-23998-8:
Computer
Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
DCSettingIndex
DWORD:1

;The user must be prompted to authenticate on resume from sleep (plugged in)
;CCE-23698-4:
Computer
Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51
ACSettingIndex
DWORD:1

;Remote Assistance log files must be generated
;CCE-24603-3:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
LoggingEnabled
DWORD:1

;Error Reporting events must be logged in the system event log
;CCE-23937-6:
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
LoggingDisabled
DWORD:0

;The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
;SV-53136r2_rule:
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
DontSendAdditionalData
DWORD:0

;Turning off File Explorer heap termination on corruption must be disabled
;CCE-23913-7:
Computer
Software\Policies\Microsoft\Windows\Explorer
NoHeapTerminationOnCorruption
DWORD:0

;Users must be notified if the logon server was inaccessible and cached credentials were used
;CCE-23555-6:
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
ReportControllerMissing
DWORD:1

;Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet
;CCE-24380-8:
Computer
Software\Policies\Microsoft\WMDRM
DisableOnline
DWORD:1

;Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role)
;CCE-24625-6:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fDisableCcm
DWORD:1

;Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role)
;CCE-24381-6:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fDisableLPT
DWORD:1

;Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role)
;CCE-24708-0:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fDisablePNPRedir
DWORD:1

;The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role)
;CCE-24260-2:
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services
fEnableSmartCard
DWORD:1

;The system must be configured to remove the Disconnect option from the Shut Down dialog box on the Remote Desktop Client. (Remote Desktop Services Role)
;CCE-24427-7:
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDisconnect
DWORD:1

;The Windows Customer Experience Improvement Program must be disabled
;CCE-24082-0:
Computer
Software\Policies\Microsoft\SQMClient\Windows
CEIPEnable
DWORD:0

;The service principal name (SPN) target name validation level must be turned off
;CCE-24502-7:
Computer
System\CurrentControlSet\Services\LanManServer\Parameters
SMBServerNameHardeningLevel
DWORD:0

;PKU2U authentication using online identities must be prevented
;CCE-25299-9:
Computer
System\CurrentControlSet\Control\Lsa\pku2u
AllowOnlineID
DWORD:0

;IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted
;'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is the default)' is set to '3' or less
;CCE-25202-3:
Computer
System\CurrentControlSet\Services\Tcpip6\Parameters
TcpMaxDataRetransmissions
DWORD:3

;Domain users must be required to elevate when setting a networks location
;CCE-23388-2:
Computer
Software\Policies\Microsoft\Windows\Network Connections
NC_StdDomainUserSetLocation
DWORD:1

;All Direct Access traffic must be routed through the internal network
;CCE-25221-3:
Computer
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
Force_Tunneling
SZ:Enabled

;Windows Update must be prevented from searching for point and print drivers
;CCE-24139-8:
Computer
Software\Policies\Microsoft\Windows NT\Printers
DoNotInstallCompatibleDriverFromWindowsUpdate
DWORD:1

;Device metadata retrieval from the Internet must be prevented
;CCE-24165-3:
Computer
Software\Policies\Microsoft\Windows\Device Metadata
PreventDeviceMetadataFromNetwork
DWORD:1

;Device driver searches using Windows Update must be prevented
;CCE-24777-5:
Computer
Software\Policies\Microsoft\Windows\DriverSearching
SearchOrderConfig
DWORD:0

;Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented
;CCE-23633-1:
Computer
Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
DisableQueryRemoteServer
DWORD:0

;Access to Windows Online Troubleshooting Service (WOTS) must be prevented
;CCE-24776-7:
Computer
Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
EnableQueryRemoteServer
DWORD:0

;Responsiveness events must be prevented from being aggregated and sent to Microsoft
;CCE-25080-3:
Computer
Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
ScenarioExecutionEnabled
DWORD:0

;The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft
;CCE-25331-0:
Computer
Software\Policies\Microsoft\Windows\AppCompat
DisableInventory
DWORD:1

;Autoplay must be turned off for non-volume devices
;CCE-24715-5:
Computer
Software\Policies\Microsoft\Windows\Explorer
NoAutoplayfornonVolume
DWORD:1

;Explorer Data Execution Prevention must be enabled
;CCE-25147-0:
Computer
Software\Policies\Microsoft\Windows\Explorer
NoDataExecutionPrevention
DWORD:0

;The default autorun behavior must be configured to prevent autorun commands
;CCE-25487-0:
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoAutorun
DWORD:1

;The Windows dialog box title for the legal banner must be configured
;CCE-24020-0:
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LegalNoticeCaption
SZ:DoD Notice and Consent Banner

;The 6to4 IPv6 transition technology must be disabled
;CCE-24732-0:
Computer
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
6to4_State
SZ:Disabled

;The IP-HTTPS IPv6 transition technology must be disabled
;CCE-25651-1_1:
Computer
Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface
IPHTTPS_ClientUrl
SZ:about:blank
;CCE-25651-1_2:
Computer
Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface
IPHTTPS_ClientState
DWORD:3

;The ISATAP IPv6 transition technology must be disabled
;CCE-25249-4:
Computer
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
ISATAP_State
SZ:Disabled

;The Teredo IPv6 transition technology must be disabled
;CCE-25571-1:
Computer
Software\Policies\Microsoft\Windows\TCPIP\v6Transition
Teredo_State
SZ:Disabled

;The Setup event log must be configured to a minimum size requirement
;'Specify the maximum log size (KB)' is set at a minimum to 'Enabled:32768'
;CCE-23743-8:
Computer
Software\Policies\Microsoft\Windows\EventLog\Setup
MaxSize
DWORD:32768

;Windows must be prevented from sending an error report when a device driver requests additional software during installation
;CCE-24685-0:
Computer
Software\Policies\Microsoft\Windows\DeviceInstall\Settings
DisableSendRequestAdditionalSoftwareToWER
DWORD:1

;IP stateless autoconfiguration limits state must be enabled
;CCE-24070-5:
Computer
System\CurrentControlSet\Services\Tcpip\Parameters
EnableIPAutoConfigurationLimits
DWORD:1

;Optional component installation and component repair must be prevented from using Windows Update
;CCE-23727-1:
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Servicing
UseWindowsUpdate
DWORD:2

;Device driver updates must only search managed servers, not Windows Update
;CCE-25002-7:
Computer
Software\Policies\Microsoft\Windows\DriverSearching
DriverServerSelection
DWORD:1

;Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown
;CCE-25320-3:
Computer
System\CurrentControlSet\Policies\EarlyLaunch
DriverLoadPolicy
DWORD:1

;Access to the Windows Store must be turned off
;CCE-24981-3:
Computer
Software\Policies\Microsoft\Windows\Explorer
NoUseStoreOpenWith
DWORD:1

;Copying of user input methods to the system account for sign-in must be prevented
;CCE-24401-2:
Computer
Software\Policies\Microsoft\Control Panel\International
BlockUserInputMethodsForSignIn
DWORD:1

;Local users on domain-joined computers must not be enumerated
;CCE-23305-6:
Computer
Software\Policies\Microsoft\Windows\System
EnumerateLocalUsers
DWORD:0

;App notifications on the lock screen must be turned off
;CCE-24092-9:
Computer
Software\Policies\Microsoft\Windows\System
DisableLockScreenAppNotifications
DWORD:1

;The display must turn off after 20 minutes of inactivity when the system is running on battery
;CCE-24879-9:
Computer
Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E
DCSettingIndex
DWORD:1200

;The display must turn off after 20 minutes of inactivity when the system is plugged in
;CCE-23492-2:
Computer
Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E
ACSettingIndex
DWORD:1200

;The detection of compatibility issues for applications and drivers must be turned off
;CCE-24560-5:
Computer
Software\Policies\Microsoft\Windows\AppCompat
DisablePcaUI
DWORD:0

;Trusted app installation must be enabled to allow for signed enterprise line of business apps
;CCE-23960-8:
Computer
Software\Policies\Microsoft\Windows\Appx
AllowAllTrustedApps
DWORD:1

;The use of biometrics must be disabled.
;CCE-24801-3:
Computer
Software\Policies\Microsoft\Biometrics
Enabled
DWORD:0

;The password reveal button must not be displayed
;CCE-23228-0:
Computer
Software\Policies\Microsoft\Windows\CredUI
DisablePasswordReveal
DWORD:1

;The Windows SmartScreen must be turned off
;CCE-23531-7:
Computer
Software\Policies\Microsoft\Windows\System
EnableSmartScreen
DWORD:0

;The location feature must be turned off
;CCE-25343-5:
Computer
Software\Policies\Microsoft\Windows\LocationAndSensors
DisableLocation
DWORD:1

;Basic authentication for RSS feeds over HTTP must be turned off
;CCE-23213-2:
Computer
Software\Policies\Microsoft\Internet Explorer\Feeds
AllowBasicAuthInClear
DWORD:0

;The Windows Remote Management (WinRM) client must not use Basic authentication
;CCE-24431-9:
Computer
Software\Policies\Microsoft\Windows\WinRM\Client
AllowBasic
DWORD:0

;The Windows Remote Management (WinRM) client must not allow unencrypted traffic
;CCE-23728-9:
Computer
Software\Policies\Microsoft\Windows\WinRM\Client
AllowUnencryptedTraffic
DWORD:0

;The Windows Remote Management (WinRM) client must not use Digest authentication
;CCE-25263-5:
Computer
Software\Policies\Microsoft\Windows\WinRM\Client
AllowDigest
DWORD:0

;The Windows Remote Management (WinRM) service must not use Basic authentication
;CCE-23637-2:
Computer
Software\Policies\Microsoft\Windows\WinRM\Service
AllowBasic
DWORD:0

;The Windows Remote Management (WinRM) service must not allow unencrypted traffic
;CCE-25102-5:
Computer
Software\Policies\Microsoft\Windows\WinRM\Service
AllowUnencryptedTraffic
DWORD:0

;The Windows Remote Management (WinRM) service must not store RunAs credentials
;CCE-23262-9:
Computer
Software\Policies\Microsoft\Windows\WinRM\Service
DisableRunAs
DWORD:1

;Windows must be configured to block application execution if certificate server status is unavailable
;Windows must be configured to check the time stamp servers certificate for revocation
;Windows must be configured to invalidate PKCS #7 version 1 signed objects
;SV-7448r2_rule
;SV-7449r3_rule
;SV-41412r1_rule
USER
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
State
DWORD:65536

;Users must be required to enter a password to access private keys stored on the computer
;SV-72049r2_rule
Computer
Software\Policies\Microsoft\Cryptography
ForceKeyProtection
DWORD:2

;The system must be configured to generate error reports
;SV-71721r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
Disabled
DWORD:0

;The system must be configured to collect multiple error reports of the same event type
;SV-71847r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
BypassDataThrottling
DWORD:1

;The system must be configured to queue error reports until a local or DOD-wide collector is available
;SV-71921r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
DisableQueue
DWORD:0

;The system must be configured to add all error reports to the queue
;SV-71931r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
ForceQueue
DWORD:1

;The system must be configured to attempt to forward queued error reports once a day
;SV-71951r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
QueuePesterInterval
DWORD:1

;The maximum number of error reports to queue on a system must be configured to 50 or greater
;SV-71941r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
MaxQueueCount
DWORD:50

;The system must be configured to archive error reports
;SV-71889r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
DisableArchive
DWORD:0

;The system must be configured to store all data in the error report archive
;SV-71951r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
ConfigureArchive
DWORD:2

;The maximum number of error reports to archive on a system must be configured to 100 or greater
;SV-71951r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
MaxArchiveCount
DWORD:100

;The system must be configured to prevent the display of error messages to the user
;SV-71851r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
DontShowUI
DWORD:1

;The system must be configured to permit the default consent levels of Windows Error Reporting to override any other consent policy setting
;SV-71971r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent
DefaultOverrideBehavior
DWORD:1

;The system must be configured to automatically consent to send all data requested by a local or DOD-wide error collection site
;SV-71961r1_rule
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent
DefaultConsent
DWORD:4

;Autoplay must be disabled for all drives
;SV-52879r2_rule
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
DWORD:255

;The Application event log must be configured to a minimum size requirement
;'Specify the maximum log size (KB)' is set at a minimum to 'Enabled:32768'
;Win8.1
;CCE-22632-4:
Computer
Software\Policies\Microsoft\Windows\EventLog\Application
MaxSize
DWORD:32768

;The Security event log must be configured to a minimum size requirement
;'Specify the maximum log size (KB)' is set at a minimum to 'Enabled:81920'
;Win8.1
;CCE-22581-3:
Computer
Software\Policies\Microsoft\Windows\EventLog\Security
MaxSize
DWORD:81920

;The System event log must be configured to a minimum size requirement
;'Specify the maximum log size (KB)' is set at a minimum to 'Enabled:32768'
;Win8.1
;CCE-22528-4:
Computer
Software\Policies\Microsoft\Windows\EventLog\System
MaxSize
DWORD:32768

;The Windows Installer Always install with elevated privileges option must be disabled
;SV-52954r1_rule
Computer
Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated
DWORD:0
