CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd:AdmPwdEnabled

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\LAPS\Enable Local Admin Password Management

Note: This Group Policy path does not exist by default. An additional Group Policy template ( AdmPwd.admx/adml ) isrequired - it is included with Microsoft Local Administrator Password Solution (LAPS).

Impact:

The local administrator password is managed (provided that the LAPS AdmPwd GPO Extension / CSE is installed on the target computer (see Rule 18.2.1), the Active Directory domain schema and account permissions have been properly configured on the domain). In a disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using a tool (such as Microsoft's Disaster and Recovery Toolset (DaRT) Recovery Image) may be necessary.

Default Value:

Disabled. (Local Administrator password is NOT managed.)

516 | P a g e