Incorrect Registry Key in some Windows ADMX/ADML Templates

Problem

Solution

Microsoft has since corrected this error and reissued new ADMX templates (Windows 11 23H2 v2.0). Since the default setting is Enabled, which is the most secure configuration, CIS has made the decision to not update the above Benchmarks until their next standard release.

CIS urges all members to update and deploy the latest Microsoft templates.

CIS-CAT Pro Assessor users need to be aware of the following recommendation results which will be corrected in the next standard release of impacted benchmarks.

Additional details

The release of the Microsoft ADMX Templates for Windows 11 2023 Update (23H2), from the Official Microsoft Store, contained a GPO that set a legacy registry value for the recommendation 18.9.25.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.

After the publication of the aforementioned benchmarks, it was found that the template contained a legacy registry value, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS: PwdExpirationProtectionEnabled, for the setting.

CIS worked with Microsoft to have the Windows 11 2023 (23H2) Templates updated on their official download site. On May 24, 2024, Microsoft published version 2 of the Microsoft ADMX Templates for Windows 11 2023 Update (23H2) – v2 that contains the correct (updated) registry value, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS: PasswordExpirationProtectionEnabled, for the setting.

Due to the initial issue with ADMX templates and this update, the content in the above-mentioned benchmarks is incorrect in the CIS Benchmark Prose Documents, and CIS-CAT automated assessment content (AAC) and the XCCDF and OVAL files.

Prose Documentation

The Audit Section for this recommendation states that the value of the registry key is PwdExpirationProtectionEnabled. If the original version of the ADMX templates is used, this is the registry key that is produced by the OS. If a member updates the ADMX templates to the newest version (as we suggest doing), then the registry value the OS sets will be PasswordExpirationProtectionEnabled, which is the correct value for this setting. The Audit Section of the Prose Documentation incorrectly states the wrong value for the registry. Members can fork the Benchmark in CIS Workbench and change the value, if needed.  

CIS-CAT AAC (Automated Assessment Content)

The Audit Section from the Windows Benchmark is used in building the XCCDF + OVAL content (artifacts) that CIS-CAT Pro Assessor ingests to perform compliance scanning. Due to this, the recommendation at present, and after a member updates the ADMX templates, will receive a false positive in CIS-CAT.

·        Before ADMX Template update (original templates): The registry value, PwdExpirationProtectionEnabled, will be created by the OS. This is the incorrect value for this recommendation to be set properly on the system. A false PASS will be recorded by CIS-CAT.

·        After ADMX template update (v2): The registry value, PasswordExpirationProtectionEnabled, will be created on the system by the OS. This is the correct value and will set the recommendation as prescribed. A false FAIL will be recorded by CIS-CAT because it will be looking for the old value of PwdExpirationProtectionEnabled. If a member would like to correct this, they can fork the benchmark and correct the Audit Section and Artifact for this recommendation.

Build-Kit

Since the GPO name (Do not allow password expiration time longer than required by policy) and configuration (Enabled) of the setting was correct, this does not affect the CIS-Build-Kit.

Default Value

The Microsoft default value for this setting is Enabled which is the most secure configuration option.

Keywords; ADMX ADML password expiration time

Content by Label