This script fixes the windows CIS Benchmark check 18.10.81.1: "Ensure 'Enable MPR notifications for the system' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 18.10.81.2: "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 18.10.86.2: "Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.10.88.1.3: "Ensure 'Disallow Digest authentication' is set to 'Enabled'."

The script ensures that the registry key for WinRM Client is configured to disallow Digest authentication by setting the 'AllowDigest' value to 0. It then verifies the setting to confirm the CIS check passes.

Notes

• This script must be run with administrative privileges.
• It modifies the registry, so use with caution.

This script fixes the windows CIS Benchmark check 18.10.88.2.4: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."

The script sets the registry key DisableRunAs to 1 under the specified path and checks if the change was successful. It ensures the script runs with administrative privileges and handles errors appropriately.

This script fixes the windows CIS Benchmark check 18.9.26.2: "Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'."

The script modifies the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to a value of 1 (DWORD) to enable LSASS to run as a protected process. It then verifies that the value is correctly set. This addresses the CIS check for 'Ensure "Configures LSASS to run as a protected process" is set to "Enabled: Enabled with UEFI Lock"' by setting the required registry value. Note that this script directly modifies the registry and may not enforce the UEFI lock aspect, which is typically handled via Group Policy.

Parameters

None This script does not require any parameters.

Example(s)

.\FixCisLsassProtectedProcess.ps1

Notes

• This script must be run with administrative privileges.
• It is compatible with PowerShell 5.1 and later.
• After running, check the output to confirm the CIS check passes.

This script fixes the windows CIS Benchmark check 18.6.21.1: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'."

This script fixes the windows CIS Benchmark check 18.6.10.2: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.10.89.1: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'."

The script modifies the Windows Registry to ensure remote shell access is disabled. It checks for administrative privileges, sets the required registry value, and verifies that the change was applied successfully.

This script fixes the windows CIS Benchmark check 18.10.90.1: "Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'."