Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Built-in Administrator account must be renamed
b1981ae3-ba91-4758-a98c-a5937a0498f7
Accounts: Built-in Guest account must be renamed
20dbd0a4-0373-4913-9f75-4ab7f6fcbdb0
Accounts: Local Admin accounts must have their privileged token filtered to prevent elevated privileges used over the network
e4710a99-9bc1-4e34-80ad-5d2f84f57732
Accounts: Local Administrator account should be disabled
822e9bf2-405a-42cb-9566-8532df68939f
Accounts: Local accounts with blank passwords must be restricted to prevent access from the network
3ef29cdc-8018-48a9-b210-13e18cf14d07
Accounts: User Account Control approval mode for the built-in Administrator must be enabled
b505fc16-70d3-4275-bcc5-02fac2fdb3af
Accounts: User Account Control must automatically deny standard user requests for elevation
2a28f305-e508-40e1-80e4-e7702143703b
Accounts: User Account Control must be configured to detect application installations and prompt for elevation
ed5ca948-5cbf-431d-a5da-39d02bd64c48
Accounts: User Account Control must run all administrators in Admin Approval Mode, enabling UAC
417239de-2859-45e4-9a8f-43c47f4daedb
Accounts: User Account Control must virtualize file and registry write failures to per-user locations
1e765ad0-c15c-4c75-963f-9dae7a389c84
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Accounts: must be configured to enable Remote host allows delegation of non-exportable credentials
64e32afe-9577-4372-8f00-81829fd38ebf
Accounts: must disable automatically signing in the last interactive user after a system-initiated restart
30d230a9-ff8e-44a2-ac87-f35b77bff14a
Attack Surface: Disable LLMNR
3724e477-bdea-4a74-96b7-7ac79e157087
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: Must force audit policy subcategory settings to override audit policy category settings
9929dbd2-a4fb-40ea-9a2d-8a1db39a5729
Auditing: Policy subcategories should be enabled
2db4a73a-0e6d-4f25-80a0-49792a478308
Auditing: Removable Storage
af074caf-14a4-41f5-9ebd-e2214dc48240
Autoplay: Autoplay Must be turned off for non-volume devices
d2ac90ea-b1de-49bb-aa59-fe8b271c7c2b
Autoplay: should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Autorun: behavior must be configured to prevent Autorun commands
746184bf-3f96-4365-8bb4-c7abf8a772ac
Credentials: WDigest Authentication must be disabled
13cb0c87-4b9a-4923-9768-87bafab6ef87
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Group policy objects must be reprocessed even if they have not changed
0652c1f1-ca23-46d0-a60f-7f62281b866e
Domain Member: Hardened UNC paths must require mutual authentication and integrity for at least \\*\SYSVOL and \\*\NETLOGON shares
7b2d6eab-fc7f-4759-8ad5-ff7e774c5b97
Domain Member: LDAP client signing requirements
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
Domain Member: local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
File System: File Explorer shell protocol must run in protected mode
d7438fe1-eecf-411c-b855-1a03847ac2d7
File System: Windows must prevent Indexing of encrypted files
138956a4-8987-4f7f-b830-bf58e4ca7778
General: AntiVirus/Antimalware Status
6d48a68a-3e44-4a00-8d42-670e41c9942c
General: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad
a9b5b413-0fc5-49c2-ab77-6761b329950c
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Solicited Remote Assistance must not be allowed
ac242343-8a24-414b-8615-7de95dffd90d
General: Windows Defender SmartScreen must be enabled (Desktop)
4d189e65-af8b-463f-95d1-3880b7c459ec
General: Windows firewall status
1f229f09-4c15-4bfe-b9f7-ed63d03cd70e
Internet Browser: Attachments must be prevented from being downloaded from RSS feeds
5ba4fbad-193e-4b62-8326-4bd0705112bd
Internet Browser: Basic authentication for RSS feeds over HTTP must not be used
a140d78e-249b-4c39-9d82-f54aeef02be0
Internet Browser: Check digital signature of executables
f09f451c-2ec0-4a03-b578-637db9c8ffbf
Internet Browser: Software must be disallowed to run or install with invalid signatures
7732d84e-90be-4734-bae5-e3c6d3be7568
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Logon: Require CTRL+ALT+DEL for interactive logons
d2d523f6-4e7a-46e3-b553-ab395a7563e4
Microsoft Edge: Users must not be allowed to ignore SmartScreen filter warnings for unverified files
cc4e8e33-1af6-4c11-b010-2d102e48a767
Microsoft Office: Application Guard for Office should be enabled
b4297f3f-27aa-48bb-ae0c-a996d8db5b70
Network Access: Disable SMBv1
78c4c60a-a039-4a47-b614-3138d7bcfe4f
Network Access: Do not allow anonymous enumeration of SAM accounts and shares
752e0588-decf-451b-9fef-cc3235765d54
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
2718ea3f-5f25-4e6d-a693-3c426f14357f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Restrict remote calls to the Security Account Manager [SAM] to Administrators
6f17b478-ef66-4c12-8e61-0ffaae9cd6b4
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
9cce3400-f772-4b0c-8f12-11157e102f87
Passwords: Minimum length
e352dda0-c735-4b4e-ba26-097f5dbab32c
Passwords: Storing LAN Manager hash
8fbc83d9-7409-41aa-bf3c-a2360a8d9749
PowerShell: v2 should not be installed / enabled
f69ae077-386f-4543-9036-30e5b3377f62
Privacy: Application Compatibility Program Inventory must not collect and send data to Microsoft
554ca683-aaaa-43da-9a97-e093af29457e
Remote Desktop Services: Idle session time limit
a06670b6-460f-45ae-93ef-02d41f52d45e
Remote Desktop Services: Must always prompt a client for passwords upon connection
8cbb9955-eb5c-4bcf-9352-3bbc31f7ed71
Remote Desktop Services: Must be configured with the client connection encryption set to High Level
0cf4a80a-705e-4831-9e1d-bc91c93e4625
Remote Desktop Services: Must not save passwords in the Remote Desktop Client
bfb98113-cc94-400b-a385-af36657755f6
Remote Desktop Services: Must require secure Remote Procedure Call (RPC) communications
20a8c861-e142-4e51-bf82-b0ef8bd1343c
Remote Management: Unauthenticated RPC clients must be restricted from connecting to the RPC server
56db7e62-0a85-4531-9e71-97528bd04e43
Remote Management: Windows Remote Management (WinRM) client must not allow unencrypted traffic
0ccb829b-b4e0-45eb-9ba8-82a643949d74
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
e4dd3ff4-f585-4e08-b91e-8bb3e02737c5
Remote Management: Windows Remote Management (WinRM) client must not use Digest authentication
1a0eb6a5-9009-4dc3-b12f-bed65052c49d
Services: List services containing a space in service path not enclosed in quotes
ac341c51-3c29-4437-92a5-9b1e8506b2c8
TLS/SSL Insecure Ciphers (SCHANNEL)
78fcd8a8-18af-49f4-8a64-bccb901e5557
Tracking: Windows Telemetry must not be set to Full
0001b667-c79a-4486-802c-32d860cae99e
Windows Installer: Disable "Always install with elevated privileges" option
a6d113ff-fd83-4631-84b3-f58e266b4976
Windows Installer: Must prevent users from changing installation options
938832a1-8ded-48d6-99b6-2b783cd2d3ae
Windows Installer: Users must be notified if a web-based program attempts to install software
1a13721a-4304-4286-a89d-243a4f41f192
Windows OS: Build Version Check (End Of Life)
07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f
Windows OS: Data Execution Prevention (DEP) must be configured to at least OptOut
df8e6841-1dd4-42ce-b374-28f997e12b6d
Windows OS: Secure Boot must be enabled
e8bb4b60-e081-427e-924e-e99a1aacf387