Incorrect Registry Key in some Windows ADMX/ADML Templates
Product Name
CIS Benchmark™
Product Version
Windows Benchmarks
Date
Jul 17, 2024
Problem
CIS discovered an error with the Windows 11 23H2 ADMX templates originally deployed by Microsoft in October of 2023. This error affected the GPO, “Do not allow password expiration time longer than required by policy” and subsequently the following CIS Benchmarks were affected:
· Microsoft Windows 10 Enterprise v3.0.0
· Microsoft Windows 11 Enterprise v3.0.0
· Microsoft Server 2019 v3.0.0
· Microsoft Server 2019 v3.0.1
· Microsoft Windows Server 2022 v3.0.0
· EMS Gateway v3.0.0
Solution
Microsoft has since corrected this error and reissued new ADMX templates (Windows 11 23H2 v2.0). Since the default setting is Enabled, which is the most secure configuration, CIS has made the decision to not update the above Benchmarks until their next standard release.
CIS urges all members to update and deploy the latest Microsoft templates.
CIS-CAT Pro Assessor users need to be aware of the following recommendation results which will be corrected in the next standard release of impacted benchmarks.
Users of the v1 ADMX template will get a false PASS for this recommendation
Users of the v2 ADMX template will get a false FAIL for this recommendation
Additional details
The release of the Microsoft ADMX Templates for Windows 11 2023 Update (23H2), from the Official Microsoft Store, contained a GPO that set a legacy registry value for the recommendation 18.9.25.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.
After the publication of the aforementioned benchmarks, it was found that the template contained a legacy registry value, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS: PwdExpirationProtectionEnabled, for the setting.
CIS worked with Microsoft to have the Windows 11 2023 (23H2) Templates updated on their official download site. On May 24, 2024, Microsoft published version 2 of the Microsoft ADMX Templates for Windows 11 2023 Update (23H2) – v2 that contains the correct (updated) registry value, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS: PasswordExpirationProtectionEnabled, for the setting.
Due to the initial issue with ADMX templates and this update, the content in the above-mentioned benchmarks is incorrect in the CIS Benchmark Prose Documents, and CIS-CAT automated assessment content (AAC) and the XCCDF and OVAL files.
Prose Documentation
The Audit Section for this recommendation states that the value of the registry key is PwdExpirationProtectionEnabled. If the original version of the ADMX templates is used, this is the registry key that is produced by the OS. If a member updates the ADMX templates to the newest version (as we suggest doing), then the registry value the OS sets will be PasswordExpirationProtectionEnabled, which is the correct value for this setting. The Audit Section of the Prose Documentation incorrectly states the wrong value for the registry. Members can fork the Benchmark in CIS Workbench and change the value, if needed.
CIS-CAT AAC (Automated Assessment Content)
The Audit Section from the Windows Benchmark is used in building the XCCDF + OVAL content (artifacts) that CIS-CAT Pro Assessor ingests to perform compliance scanning. Due to this, the recommendation at present, and after a member updates the ADMX templates, will receive a false positive in CIS-CAT.
· Before ADMX Template update (original templates): The registry value, PwdExpirationProtectionEnabled, will be created by the OS. This is the incorrect value for this recommendation to be set properly on the system. A false PASS will be recorded by CIS-CAT.
· After ADMX template update (v2): The registry value, PasswordExpirationProtectionEnabled, will be created on the system by the OS. This is the correct value and will set the recommendation as prescribed. A false FAIL will be recorded by CIS-CAT because it will be looking for the old value of PwdExpirationProtectionEnabled. If a member would like to correct this, they can fork the benchmark and correct the Audit Section and Artifact for this recommendation.
Build-Kit
Since the GPO name (Do not allow password expiration time longer than required by policy) and configuration (Enabled) of the setting was correct, this does not affect the CIS-Build-Kit.
Default Value
The Microsoft default value for this setting is Enabled which is the most secure configuration option.
Keywords; ADMX ADML password expiration time
Content by Label