CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard:HVCIMATReq uired

Remediation:

To establish the recommended configuration via GP, set the following UI path to TRUE :

Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).

Impact:

Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.

Default Value:

Disabled.

CIS Controls:

Version 6

16.14 Encrypt/Hash All Authentication Files And Monitor Their Access Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Version 7

5.1 Establish Secure Configurations Maintain documented, standard security configuration standards for all authorized operating systems and software.

628 | P a g e