| WN10-00-000090 |
Medium |
Accounts must be configured to require password expiration |
PowerShell |
Remediation |
| WN10-AC-000005 |
Medium |
Account lockout duration must be configured to 15 minutes or greater |
PowerShell |
Remediation |
| WN10-AC-000020 |
Medium |
The password history must be configured to 24 passwords remembered |
PowerShell |
Remediation |
| WN10-AU-000050 |
Medium |
The system must be configured to audit Detailed Tracking - Process Creation successes |
PowerShell |
Remediation |
| WN10-AU-000082 |
Medium |
Windows 10 must be configured to audit Object Access - File Share successes |
PowerShell |
Remediation |
| WN10-AU-000500 |
Medium |
The Application event log size must be configured to 32768 KB or greater |
PowerShell |
Remediation |
| WN10-AU-000580 |
Medium |
Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures |
PowerShell |
Remediation |
| WN10-AU-000585 |
Medium |
Windows 10 must have command line process auditing events enabled for failures |
PowerShell |
Remediation |
| WN10-CC-000005 |
Medium |
Camera access from the lock screen must be disabled |
PowerShell |
Remediation |
| WN10-CC-000030 |
Medium |
ICMP redirects must not be allowed to override OSPF generated routes |
PowerShell |
Remediation |
| WN10-CC-000090 |
Medium |
Group Policy objects must be reprocessed even if they have not changed |
PowerShell |
Remediation |
| WN10-CC-000145 |
Medium |
Password must be required when a computer wakes from sleep (on battery) |
PowerShell |
Remediation |
| WN10-CC-000150 |
Medium |
The user must be prompted for a password on resume from sleep (plugged in) |
PowerShell |
Remediation |
| WN10-CC-000185 |
Medium |
Autorun commands must be turned off for all drives |
PowerShell |
Remediation |
| WN10-CC-000197 |
Medium |
Microsoft consumer experiences must be turned off |
PowerShell |
Remediation |
| WN10-CC-000205 |
Medium |
Windows Telemetry must not be configured to Full |
PowerShell |
Remediation |
| WN10-CC-000230 |
Medium |
Windows Defender SmartScreen warnings must not be ignored by users in Microsoft Edge |
PowerShell |
Remediation |
| WN10-CC-000310 |
Medium |
Users must be prevented from changing installation options |
PowerShell |
Remediation |
| WN10-CC-000327 |
Medium |
PowerShell transcription must be enabled |
PowerShell |
Remediation |
| WN10-CC-000355 |
Medium |
The Windows Remote Management (WinRM) service must not store RunAs credentials |
PowerShell |
Remediation |
| WN10-CC-000360 |
Medium |
The Windows Remote Management (WinRM) client must not use Digest authentication |
PowerShell |
Remediation |
| WN10-CC-000365 |
Medium |
Windows 10 must be configured to prevent Windows apps from being activated by voice while locked |
PowerShell |
Remediation |
| WN10-CC-000370 |
Medium |
Convenience PIN sign-in must be turned off |
PowerShell |
Remediation |
| WN10-SO-000005 |
Medium |
The built-in administrator account must be disabled |
PowerShell |
Remediation |
| WN10-SO-000080 |
Medium |
The Windows dialog box title for the legal banner must be configured |
PowerShell |
Remediation |
| WN10-SO-000100 |
Medium |
The Windows SMB client must be configured to always perform SMB packet signing |
PowerShell |
Remediation |
| WN10-SO-000120 |
Medium |
The Windows SMB server must be configured to always perform SMB packet signing |
PowerShell |
Remediation |
| WN10-SO-000205 |
Medium |
The LanMan authentication level must be set to send NTLMv2 response only, refuse LM and NTLM |
PowerShell |
Remediation |
| WN10-SO-000245 |
Medium |
User Account Control approval mode for the built-in Administrator must be enabled |
PowerShell |
Remediation |
| WN10-SO-000250 |
Medium |
User Account Control must, at minimum, prompt administrators for consent on the secure desktop |
PowerShell |
Remediation |
| WN10-SO-000255 |
Medium |
User Account Control must automatically deny elevation requests for standard users |
PowerShell |
Remediation |