CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) (Scored)

ProfileApplicability:

 Level 1 (L1) + BitLocker (BL)

 Level 2 (L2) + BitLocker (BL)

 BitLocker (BL) - optional add-on for when BitLocker is deployed

Description:

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. Note: In versions of Windows 10 Release 1803 (and newer), there is a new control named Enumeration policy for external devices incompatible with Kernel DMA Protection available that mitigates much of the risk for malicious devices that may perform Direct Memory Access (DMA) attacks. The newer control is also now part of the Windows 10 CIS benchmark, in section 18.8.26. However, if your environment still contains any Windows 10 Release 1709 (or older) workstations, then the newer control will not work, so this setting remains important to disable Thunderbolt devices on those systems. The recommended state for this setting is: True (checked) .

641 | P a g e