ScriptShare

This script fixes the Windows CIS Benchmark check 2.3.11.1: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'."

The script sets the registry key "UseMachineId" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" to 1 (Enabled) and checks if the value was set correctly.

This script fixes the windows CIS Benchmark check 18.10.9.1.7: "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Writes/overwrites DWORD FDVActiveDirectoryBackup = 1 in BOTH registry views (Registry64 and Registry32). • Idempotent: rerunning simply re-applies the compliant value.

Example(s)

.\Set-BitLockerADBackupFixed.ps1

This script fixes the windows CIS Benchmark check 18.10.9.1.7: "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Writes/overwrites DWORD FDVActiveDirectoryBackup = 1 in BOTH registry views (Registry64 and Registry32). • Idempotent: rerunning simply re-applies the compliant value.

Example(s)

.\Set-BitLockerADBackupFixed.ps1

This script fixes the windows CIS Benchmark check 18.10.9.1.1: "Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Creates/overwrites value FDVDiscoveryVolumeType with "" (empty string). • Writes to BOTH 64-bit and 32-bit registry views. • Idempotent: re-running simply re-applies the compliant state.

Example(s)

.\Disable-LegacyFixedDriveAccess.ps1

This script fixes the windows CIS Benchmark check 18.10.9.1.1: "Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'."

• Creates HKLM\SOFTWARE\Policies\Microsoft\FVE if missing. • Creates/overwrites value FDVDiscoveryVolumeType with "" (empty string). • Writes to BOTH 64-bit and 32-bit registry views. • Idempotent: re-running simply re-applies the compliant state.

Example(s)

.\Disable-LegacyFixedDriveAccess.ps1

This script fixes the windows CIS Benchmark check 18.7.5: "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'."

This script fixes the windows CIS Benchmark check 5.4: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'."

The script:

1. Verifies that MapsBroker exists.
2. Stops it if running.
3. Sets StartupType to Disabled.
4. Writes Start = 4 to the registry for auditors that read raw values.

Example(s)

.\Disable-MapsBroker.ps1

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

The script:

1. Checks whether the service exists.
2. Stops it if it is running.
3. Sets its startup type to Disabled.
4. Writes Start = 4 to the registry for audit tools that read the raw value.

Example(s)

.\Disable-BthServ.ps1

This script fixes the windows CIS Benchmark check 5.1: "Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'."

The script:

1. Checks whether BTAGService exists.
2. Stops the service if it is running.
3. Sets the startup type to Disabled (both via Set-Service and by setting the registry value Start = 4 for redundancy).

Example(s)

.\Disable-BTAGService.ps1

This script fixes the windows CIS Benchmark check 2.3.7.5: "Configure 'Interactive logon: Message text for users attempting to log on'."

Parameters

Message The warning text displayed to users before they log on. Defaults to a generic placeholder.

Example(s)

.\Set-LogonBanner.ps1 -Message "This computer is property of Example Corp. Unauthorized use is prohibited."