| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-220702 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Windows 10 information systems must use BitLocker ... | - | |||
Check TextVerify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Fix TextEnable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 374DA62AC80E33993305E73BF38A7CE33E45FF4B ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: On Lock Status: Unlocked Encryption %: 100 Key Protector: Tpm, RecoveryPassword
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220702 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Windows 10 information systems must use BitLocker ... | - | |||
Check TextVerify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Fix TextEnable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 374DA62AC80E33993305E73BF38A7CE33E45FF4B ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: On Lock Status: Unlocked Encryption %: 100 Key Protector: Tpm, RecoveryPassword
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220702 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Windows 10 information systems must use BitLocker ... | - | |||
Check TextVerify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Fix TextEnable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CD1B9B58B26C7C0564EB502A00E7A6FB74E3E282 ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: Off Lock Status: Unlocked Encryption %: 100 Key Protector: RecoveryPassword, Tpm
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220702 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Windows 10 information systems must use BitLocker ... | - | |||
Check TextVerify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Fix TextEnable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032). Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CD1B9B58B26C7C0564EB502A00E7A6FB74E3E282 ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: Off Lock Status: Unlocked Encryption %: 100 Key Protector: RecoveryPassword, Tpm
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220703 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN for pr... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1) If one of the following registry values does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1) When BitLocker network unlock is used: Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000002 (2) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000002 (2) BitLocker network unlock may be used in conjunction with a BitLocker PIN. Refer to the article at the link below for information about network unlock. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A0DEB1E83D788131EFCA0954E181AD87591B969A ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMKeyPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220703 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN for pr... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1) If one of the following registry values does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1) When BitLocker network unlock is used: Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000002 (2) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000002 (2) BitLocker network unlock may be used in conjunction with a BitLocker PIN. Refer to the article at the link below for information about network unlock. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A0DEB1E83D788131EFCA0954E181AD87591B969A ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMKeyPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220703 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN for pr... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1) If one of the following registry values does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1) When BitLocker network unlock is used: Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000002 (2) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000002 (2) BitLocker network unlock may be used in conjunction with a BitLocker PIN. Refer to the article at the link below for information about network unlock. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM". Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AE41F3DF4C82029ED7404BA4BE6A75115B769621 ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000001 (1) [Compliant] Value: REG_DWORD
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220703 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN for pr... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1) If one of the following registry values does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1) When BitLocker network unlock is used: Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000002 (2) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000002 (2) BitLocker network unlock may be used in conjunction with a BitLocker PIN. Refer to the article at the link below for information about network unlock. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM". Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AE41F3DF4C82029ED7404BA4BE6A75115B769621 ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000001 (1) [Compliant] Value: REG_DWORD
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220704 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN with a... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220704 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN with a... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220704 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN with a... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220704 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must use a BitLocker PIN with a... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220706 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must be maintained at a support... | - | |||
Check TextRun "winver.exe". If the "About Windows" dialog box does not display a version supported by the vendor, this is a finding. Fix TextUpgrade to a supported version of the operating system. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044)
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220706 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must be maintained at a support... | - | |||
Check TextRun "winver.exe". If the "About Windows" dialog box does not display a version supported by the vendor, this is a finding. Fix TextUpgrade to a supported version of the operating system. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044)
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220706 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must be maintained at a support... | - | |||
Check TextRun "winver.exe". If the "About Windows" dialog box does not display a version supported by the vendor, this is a finding. Fix TextUpgrade to a supported version of the operating system. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044)
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220706 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Windows 10 systems must be maintained at a support... | - | |||
Check TextRun "winver.exe". If the "About Windows" dialog box does not display a version supported by the vendor, this is a finding. Fix TextUpgrade to a supported version of the operating system. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044)
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220707 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | The Windows 10 system must use an anti-virus progr... | - | |||
Check TextVerify an antivirus solution is installed on the system and in use. The antivirus solution may be bundled with an approved Endpoint Security Solution. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*trellix*"} | Select Status,DisplayName" If there is no antivirus solution installed on the system, this is a finding. Fix TextIf no antivirus software is on the system and in use, install Windows Defender or a third-party antivirus solution. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220707 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | The Windows 10 system must use an anti-virus progr... | - | |||
Check TextVerify an antivirus solution is installed on the system and in use. The antivirus solution may be bundled with an approved Endpoint Security Solution. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*trellix*"} | Select Status,DisplayName" If there is no antivirus solution installed on the system, this is a finding. Fix TextIf no antivirus software is on the system and in use, install Windows Defender or a third-party antivirus solution. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220707 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | The Windows 10 system must use an anti-virus progr... | - | |||
Check TextVerify an antivirus solution is installed on the system and in use. The antivirus solution may be bundled with an approved Endpoint Security Solution. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*trellix*"} | Select Status,DisplayName" If there is no antivirus solution installed on the system, this is a finding. Fix TextIf no antivirus software is on the system and in use, install Windows Defender or a third-party antivirus solution. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220707 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | The Windows 10 system must use an anti-virus progr... | - | |||
Check TextVerify an antivirus solution is installed on the system and in use. The antivirus solution may be bundled with an approved Endpoint Security Solution. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*trellix*"} | Select Status,DisplayName" If there is no antivirus solution installed on the system, this is a finding. Fix TextIf no antivirus software is on the system and in use, install Windows Defender or a third-party antivirus solution. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220708 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Local volumes must be formatted using NTFS. | - | |||
Check TextRun "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition. Fix TextFormat all local volumes to use NTFS. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220708 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Local volumes must be formatted using NTFS. | - | |||
Check TextRun "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition. Fix TextFormat all local volumes to use NTFS. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220708 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Local volumes must be formatted using NTFS. | - | |||
Check TextRun "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition. Fix TextFormat all local volumes to use NTFS. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220708 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Local volumes must be formatted using NTFS. | - | |||
Check TextRun "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition. Fix TextFormat all local volumes to use NTFS. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220712 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Only accounts responsible for the administration o... | - | |||
Check TextRun "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding. Fix TextConfigure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3E830C5BCEA1AA12EC57417D52A215ACB2E2E5E1 ~~~~~ The following are members of the local Administrators group: ============== Name: MONTFORD-POINT\Workstation Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1110 Name: MONT-WS-92040\dod_admin objectClass: User objectSID: S-1-5-21-3703204072-2228436765-3422267048-1001 Name: MONT-WS-92040\X_Admin objectClass: User objectSID: S-1-5-21-3703204072-2228436765-3422267048-500
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220712 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Only accounts responsible for the administration o... | - | |||
Check TextRun "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding. Fix TextConfigure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8CF8EB2216BA99A2A79DC17F45300F57F0A47C32 ~~~~~ The following are members of the local Administrators group: ============== Name: MONTFORD-POINT\Workstation Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1110 Name: MONT-WS-92010\dod_admin objectClass: User objectSID: S-1-5-21-2586659569-2484290388-2027984285-1001 Name: MONT-WS-92010\X_Admin objectClass: User objectSID: S-1-5-21-2586659569-2484290388-2027984285-500
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220712 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Only accounts responsible for the administration o... | - | |||
Check TextRun "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding. Fix TextConfigure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 20E099B9F72979B59022E9A2A9ED1BDEE0865FF1 ~~~~~ The following are members of the local Administrators group: ============== Name: MONT-SW-89108\AMPerl.IAAdmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1018 Name: MONT-SW-89108\dod_admin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1001 Name: MONT-SW-89108\jtbegarek.iaadmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1024 Name: MONT-SW-89108\Scan.Admin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1016 Name: MONT-SW-89108\tljones.iaadmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1023 Name: MONT-SW-89108\xAdministrator objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-500
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220712 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Only accounts responsible for the administration o... | - | |||
Check TextRun "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding. Fix TextConfigure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 755D0E653E43EF30F999A01A9B8C1F315C41FADD ~~~~~ The following are members of the local Administrators group: ============== Name: MONT-SW-89134\AMPerl.IAAdmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1021 Name: MONT-SW-89134\dod_admin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1001 Name: MONT-SW-89134\jtbegarek.iaadmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1026 Name: MONT-SW-89134\scan.admin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1022 Name: MONT-SW-89134\tljones.iaadmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1024 Name: MONT-SW-89134\xAdministrator objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-500
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220718 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Internet Information System (IIS) or its subcompon... | - | |||
Check TextIIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed. Fix TextUninstall "Internet Information Services" or "Internet Information Services Hostable Web Core" from the system. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220718 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Internet Information System (IIS) or its subcompon... | - | |||
Check TextIIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed. Fix TextUninstall "Internet Information Services" or "Internet Information Services Hostable Web Core" from the system. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220718 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Internet Information System (IIS) or its subcompon... | - | |||
Check TextIIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed. Fix TextUninstall "Internet Information Services" or "Internet Information Services Hostable Web Core" from the system. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220718 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Internet Information System (IIS) or its subcompon... | - | |||
Check TextIIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed. Fix TextUninstall "Internet Information Services" or "Internet Information Services Hostable Web Core" from the system. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220727 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Structured Exception Handling Overwrite Protection... | - | |||
Check TextThis is applicable to Windows 10 prior to v1709. Verify SEHOP is turned on. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA.
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220727 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Structured Exception Handling Overwrite Protection... | - | |||
Check TextThis is applicable to Windows 10 prior to v1709. Verify SEHOP is turned on. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA.
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220727 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Structured Exception Handling Overwrite Protection... | - | |||
Check TextThis is applicable to Windows 10 prior to v1709. Verify SEHOP is turned on. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA.
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220727 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Structured Exception Handling Overwrite Protection... | - | |||
Check TextThis is applicable to Windows 10 prior to v1709. Verify SEHOP is turned on. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA.
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220737 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Administrative accounts must not be used with appl... | Documented Pending Review | |||
Check TextDetermine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. Fix TextEstablish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220737 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Administrative accounts must not be used with appl... | Documented Pending Review | |||
Check TextDetermine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. Fix TextEstablish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220737 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Administrative accounts must not be used with appl... | Documented Pending Review | |||
Check TextDetermine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. Fix TextEstablish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220737 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Administrative accounts must not be used with appl... | Documented Pending Review | |||
Check TextDetermine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. Fix TextEstablish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220747 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Reversible password encryption must be disabled. | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220747 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Reversible password encryption must be disabled. | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220747 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Reversible password encryption must be disabled. | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220747 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Reversible password encryption must be disabled. | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220812 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Credential Guard must be running on Windows 10 dom... | - | |||
Check TextConfirm Credential Guard is running on domain-joined systems. For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) Fix TextVirtualization based security, including Credential Guard, currently cannot be implemented in VDIs due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". v1507 LTSB does not include selection options; select "Enable Credential Guard". A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220812 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Credential Guard must be running on Windows 10 dom... | - | |||
Check TextConfirm Credential Guard is running on domain-joined systems. For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) Fix TextVirtualization based security, including Credential Guard, currently cannot be implemented in VDIs due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". v1507 LTSB does not include selection options; select "Enable Credential Guard". A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||
| V-220812 | CAT I | MONT-SW-89108 | Microsoft Windows 10 Security Technical ... | Credential Guard must be running on Windows 10 dom... | - | |||
Check TextConfirm Credential Guard is running on domain-joined systems. For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) Fix TextVirtualization based security, including Credential Guard, currently cannot be implemented in VDIs due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". v1507 LTSB does not include selection options; select "Enable Credential Guard". A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 35876C8966B85EC1E2B626A04F1F3A7173B7D72A ~~~~~ System is a 'Standalone Workstation' so this requirement is NA.
Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl
Scan Date: 2026-03-04T15:25:16.342077
Technology Area: Windows Operating System
|
||||||||
| V-220812 | CAT I | MONT-SW-89134 | Microsoft Windows 10 Security Technical ... | Credential Guard must be running on Windows 10 dom... | - | |||
Check TextConfirm Credential Guard is running on domain-joined systems. For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) Fix TextVirtualization based security, including Credential Guard, currently cannot be implemented in VDIs due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". v1507 LTSB does not include selection options; select "Enable Credential Guard". A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 35876C8966B85EC1E2B626A04F1F3A7173B7D72A ~~~~~ System is a 'Standalone Workstation' so this requirement is NA.
Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl
Scan Date: 2026-03-04T15:25:42.339596
Technology Area: Windows Operating System
|
||||||||
| V-220823 | CAT I | MONT-WS-92040 | Microsoft Windows 10 Security Technical ... | Solicited Remote Assistance must not be allowed. | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp Value Type: REG_DWORD Value: 0 Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> "Configure Solicited Remote Assistance" to "Disabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 710AE588AB6A9F5E0B92559BED20BF35AFCB73BE ~~~~~ 'Configure Solicited Remote Assistance' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: fAllowToGetHelp Value: 0x00000000 (0) Type: REG_DWORD
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl
Scan Date: 2026-01-14T12:57:26.690022
Technology Area: Windows Operating System
|
||||||||
| V-220823 | CAT I | MONT-WS-92010 | Microsoft Windows 10 Security Technical ... | Solicited Remote Assistance must not be allowed. | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp Value Type: REG_DWORD Value: 0 Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> "Configure Solicited Remote Assistance" to "Disabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 710AE588AB6A9F5E0B92559BED20BF35AFCB73BE ~~~~~ 'Configure Solicited Remote Assistance' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: fAllowToGetHelp Value: 0x00000000 (0) Type: REG_DWORD
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl
Scan Date: 2026-01-14T12:57:28.689048
Technology Area: Windows Operating System
|
||||||||