CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd:PwdExpirationProtectionEnabled

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy

Note: This Group Policy path does not exist by default. An additional Group Policy template ( AdmPwd.admx/adml ) isrequired - it is included with Microsoft Local Administrator Password Solution (LAPS).

Impact:

Planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed.

Default Value:

Disabled. (Password expiration time may be longer than required by the "Password Settings" policy.)

CIS Controls:

Version 6

16.2 All Accounts Have A Monitored Expiration Date Ensure that all accounts have an expiration date that is monitored and enforced.

Version 7

16.10 Ensure All Accounts Have An Expiration Date Ensure that all accounts have an expiration date that is monitored and enforced.

514 | P a g e