ScriptShare

This script fixes the windows CIS Benchmark check 18.10.9.1.7: "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Writes/overwrites DWORD FDVActiveDirectoryBackup = 1 in BOTH registry views (Registry64 and Registry32). • Idempotent: rerunning simply re-applies the compliant value.

Example(s)

.\Set-BitLockerADBackupFixed.ps1

This script fixes the windows CIS Benchmark check 18.10.9.1.1: "Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Creates/overwrites value FDVDiscoveryVolumeType with "" (empty string). • Writes to BOTH 64-bit and 32-bit registry views. • Idempotent: re-running simply re-applies the compliant state.

Example(s)

.\Disable-LegacyFixedDriveAccess.ps1

This script fixes the windows CIS Benchmark check 18.10.9.1.1: "Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Creates/overwrites value FDVDiscoveryVolumeType with "" (empty string). • Writes to BOTH 64-bit and 32-bit registry views. • Idempotent: re-running simply re-applies the compliant state.

Example(s)

.\Disable-LegacyFixedDriveAccess.ps1

This script fixes the windows CIS Benchmark check 18.7.5: "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'."

This script fixes the windows CIS Benchmark check 5.4: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'."

The script:

1. Verifies that MapsBroker exists.
2. Stops it if running.
3. Sets StartupType to Disabled.
4. Writes Start = 4 to the registry for auditors that read raw values.

Example(s)

.\Disable-MapsBroker.ps1

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

The script:

1. Checks whether the service exists.
2. Stops it if it is running.
3. Sets its startup type to Disabled.
4. Writes Start = 4 to the registry for audit tools that read the raw value.

Example(s)

.\Disable-BthServ.ps1

This script fixes the windows CIS Benchmark check 5.1: "Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'."

The script:

1. Checks whether BTAGService exists.
2. Stops the service if it is running.
3. Sets the startup type to Disabled (both via Set-Service and by setting the registry value Start = 4 for redundancy).

Example(s)

.\Disable-BTAGService.ps1

This script fixes the windows CIS Benchmark check 2.3.7.5: "Configure 'Interactive logon: Message text for users attempting to log on'."

Parameters

Message The warning text displayed to users before they log on. Defaults to a generic placeholder.

Example(s)

.\Set-LogonBanner.ps1 -Message "This computer is property of Example Corp. Unauthorized use is prohibited."

This script fixes the windows CIS Benchmark check 2.3.7.6: "Configure 'Interactive logon: Message title for users attempting to log on'."

Parameters

Title Text displayed in the window title bar of the logon-message dialog.

Message Multi-line warning shown in the body of the logon-message dialog.

Example(s)

.\Set-LogonBannerTitle.ps1 `-Title "Authorized Use Only" `-Message @"THIS COMPUTER SYSTEM IS THE PROPERTY OF EXAMPLE CORPORATION.UNAUTHORIZED ACCESS OR USE IS PROHIBITED AND SUBJECT TO DISCIPLINARYACTION AND PROSECUTION. USERS HAVE NO EXPECTATION OF PRIVACY.BY CONTINUING, YOU CONSENT TO MONITORING."@

This script fixes the windows CIS Benchmark check 2.3.1.4: "Configure 'Accounts: Rename administrator account'."

Parameters

NewName New name for the built-in Administrator account. Defaults to "LocalAdmin".

Example(s)

.\Rename-Administrator.ps1 -NewName "WorkstationSvc"