STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows 11 Security Technical Implementation Guide

Version

V2R7

Benchmark ID

Microsoft_Windows_11_STIG

Total Checks

262

Tags

windows

CAT I: 27CAT II: 218CAT III: 17

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (262)

V-253254MEDIUMDomain-joined systems must use Windows 11 Enterprise Edition 64-bit version.V-253255MEDIUMWindows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.V-253256MEDIUMWindows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-253257MEDIUMSecure Boot must be enabled on Windows 11 systems.V-253259HIGHWindows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.V-253260HIGHWindows 11 systems must use a BitLocker PIN for pre-boot authentication.V-253261MEDIUMWindows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.V-253262MEDIUMThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-253263HIGHWindows 11 systems must be maintained at a supported servicing level.V-253264HIGHThe Windows 11 system must use an antivirus program.V-253265HIGHLocal volumes must be formatted using NTFS.V-253266MEDIUMAlternate operating systems must not be permitted on the same system.V-253267MEDIUMNon-system-created file shares on a system must limit access to groups that require it.V-253268LOWUnused accounts must be disabled or removed from the system after 35 days of inactivity.V-253269HIGHOnly accounts responsible for the administration of a system must have Administrator rights on the system.V-253270MEDIUMOnly accounts responsible for the backup operations must be members of the Backup Operators group.V-253271MEDIUMOnly authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.V-253272LOWStandard local user accounts must not exist on a system in a domain.V-253273MEDIUMAccounts must be configured to require password expiration.V-253274MEDIUMPermissions for system files and directories must conform to minimum requirements.V-253275HIGHInternet Information System (IIS) or its subcomponents must not be installed on a workstation.V-253276MEDIUMSimple Network Management Protocol (SNMP) must not be installed on the system.V-253277MEDIUMSimple TCP/IP Services must not be installed on the system.V-253278MEDIUMThe Telnet Client must not be installed on the system.V-253279MEDIUMThe TFTP Client must not be installed on the system.V-253280MEDIUMSoftware certificate installation files must be removed from Windows 11.V-253281MEDIUMA host-based firewall must be installed and enabled on the system.V-253282MEDIUMInbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.V-253284HIGHStructured Exception Handling Overwrite Protection (SEHOP) must be enabled.V-253285MEDIUMThe Windows PowerShell 2.0 feature must be disabled on the system.V-253286MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the system.V-253287MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.V-253288MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.V-253289MEDIUMThe Secondary Logon service must be disabled on Windows 11.V-253290MEDIUMOrphaned security identifiers (SIDs) must be removed from user rights on Windows 11.V-253291MEDIUMBluetooth must be turned off unless approved by the organization.V-253293MEDIUMThe system must notify the user when a Bluetooth device attempts to connect.V-253294HIGHAdministrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.V-253295MEDIUMWindows 11 nonpersistent VM sessions must not exceed 24 hours.V-253296LOWThe Windows 11 time service must synchronize with an appropriate DOD time source.V-253297MEDIUMWindows 11 account lockout duration must be configured to 15 minutes or greater.V-253298MEDIUMThe number of allowed bad logon attempts must be configured to three or less.V-253299MEDIUMThe period of time before the bad logon counter is reset must be configured to 15 minutes.V-253300MEDIUMThe password history must be configured to 24 passwords remembered.V-253301MEDIUMThe maximum password age must be configured to 60 days or less.V-253302MEDIUMThe minimum password age must be configured to at least 1 day.V-253303MEDIUMPasswords must, at a minimum, be 14 characters.V-253304MEDIUMThe built-in Microsoft password complexity filter must be enabled.V-253305HIGHReversible password encryption must be disabled.V-253306MEDIUMThe system must be configured to audit Account Logon - Credential Validation failures.V-253307MEDIUMThe system must be configured to audit Account Logon - Credential Validation successes.V-253308MEDIUMThe system must be configured to audit Account Management - Security Group Management successes.V-253309MEDIUMThe system must be configured to audit Account Management - User Account Management failures.V-253310MEDIUMThe system must be configured to audit Account Management - User Account Management successes.V-253311MEDIUMThe system must be configured to audit Detailed Tracking - PNP Activity successes.V-253312MEDIUMThe system must be configured to audit Detailed Tracking - Process Creation successes.V-253313MEDIUMThe system must be configured to audit Logon/Logoff - Account Lockout failures.V-253314MEDIUMThe system must be configured to audit Logon/Logoff - Group Membership successes.V-253315MEDIUMThe system must be configured to audit Logon/Logoff - Logoff successes.V-253316MEDIUMThe system must be configured to audit Logon/Logoff - Logon failures.V-253317MEDIUMThe system must be configured to audit Logon/Logoff - Logon successes.V-253318MEDIUMThe system must be configured to audit Logon/Logoff - Special Logon successes.V-253319MEDIUMWindows 11 must be configured to audit Object Access - File Share failures.V-253320MEDIUMWindows 11 must be configured to audit Object Access - File Share successes.V-253321MEDIUMWindows 11 must be configured to audit Object Access - Other Object Access Events successes.V-253322MEDIUMWindows 11 must be configured to audit Object Access - Other Object Access Events failures.V-253323MEDIUMThe system must be configured to audit Object Access - Removable Storage failures.V-253324MEDIUMThe system must be configured to audit Object Access - Removable Storage successes.V-253325MEDIUMThe system must be configured to audit Policy Change - Audit Policy Change successes.V-253326MEDIUMThe system must be configured to audit Policy Change - Authentication Policy Change successes.V-253327MEDIUMThe system must be configured to audit Policy Change - Authorization Policy Change successes.V-253328MEDIUMThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-253329MEDIUMThe system must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-253330MEDIUMThe system must be configured to audit System - IPsec Driver failures.V-253331MEDIUMThe system must be configured to audit System - Other System Events successes.V-253332MEDIUMThe system must be configured to audit System - Other System Events failures.V-253333MEDIUMThe system must be configured to audit System - Security State Change successes.V-253334MEDIUMThe system must be configured to audit System - Security System Extension successes.V-253335MEDIUMThe system must be configured to audit System - System Integrity failures.V-253336MEDIUMThe system must be configured to audit System - System Integrity successes.V-253337MEDIUMThe Application event log size must be configured to 32768 KB or greater.V-253338MEDIUMThe security event log size must be configured to a value that holds at least one week's worth of audit records.V-253339MEDIUMThe System event log size must be configured to 32768 KB or greater.V-253340MEDIUMWindows 11 permissions for the Application event log must prevent access by non-privileged accounts.V-253341MEDIUMWindows 11 permissions for the Security event log must prevent access by non-privileged accounts.V-253342MEDIUMWindows 11 permissions for the System event log must prevent access by non-privileged accounts.V-253344MEDIUMWindows 11 must be configured to audit Other Policy Change Events Failures.V-253345MEDIUMWindows 11 must be configured to audit other Logon/Logoff Events Successes.V-253346MEDIUMWindows 11 must be configured to audit other Logon/Logoff Events Failures.V-253347MEDIUMWindows 11 must be configured to audit Detailed File Share Failures.V-253348MEDIUMWindows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes.V-253349MEDIUMWindows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures.V-253350MEDIUMCamera access from the lock screen must be disabled.V-253351MEDIUMWindows 11 must cover or disable the built-in or attached camera when not in use.V-253352MEDIUMThe display of slide shows on the lock screen must be disabled.V-253353MEDIUMIPv6 source routing must be configured to highest protection.V-253354MEDIUMThe system must be configured to prevent IP source routing.V-253355LOWThe system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.V-253356LOWThe system must be configured to ignore NetBIOS name release requests except from WINS servers.V-253357MEDIUMLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.V-253358MEDIUMWDigest Authentication must be disabled.V-253359MEDIUMRun as different user must be removed from context menus.V-253360MEDIUMInsecure logons to an SMB server must be disabled.V-253361MEDIUMInternet connection sharing must be disabled.V-253362MEDIUMHardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-253363MEDIUMWindows 11 must be configured to prioritize ECC Curves with longer key lengths first.V-253364MEDIUMSimultaneous connections to the internet or a Windows domain must be limited.V-253365MEDIUMConnections to non-domain networks when connected to a domain authenticated network must be blocked.V-253366MEDIUMWi-Fi Sense must be disabled.V-253367MEDIUMCommand line data must be included in process creation events.V-253368MEDIUMWindows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.V-253369MEDIUMVirtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-253370HIGHCredential Guard must be running on Windows 11 domain-joined systems.V-253371MEDIUMVirtualization-based protection of code integrity must be enabled.V-253372MEDIUMEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.V-253373MEDIUMGroup Policy objects must be reprocessed even if they have not changed.V-253374MEDIUMDownloading print driver packages over HTTP must be prevented.V-253375MEDIUMWeb publishing and online ordering wizards must be prevented from downloading a list of providers.V-253376MEDIUMPrinting over HTTP must be prevented.V-253377MEDIUMSystems must at least attempt device authentication using certificates.V-253378MEDIUMThe network selection user interface (UI) must not be displayed on the logon screen.V-253379MEDIUMLocal users on domain-joined computers must not be enumerated.V-253380MEDIUMUsers must be prompted for a password on resume from sleep (on battery).V-253381MEDIUMThe user must be prompted for a password on resume from sleep (plugged in).V-253382HIGHSolicited Remote Assistance must not be allowed.V-253383MEDIUMUnauthenticated RPC clients must be restricted from connecting to the RPC server.V-253384LOWThe setting to allow Microsoft accounts to be optional for modern style apps must be enabled.V-253385LOWThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-253386HIGHAutoplay must be turned off for non-volume devices.V-253387HIGHThe default autorun behavior must be configured to prevent autorun commands.V-253388HIGHAutoplay must be disabled for all drives.V-253389MEDIUMEnhanced anti-spoofing for facial recognition must be enabled on Windows 11.V-253390LOWMicrosoft consumer experiences must be turned off.V-253391MEDIUMAdministrator accounts must not be enumerated during elevation.V-253392MEDIUMEnhanced diagnostic data must be limited to the minimum required to support Windows Analytics.V-253393MEDIUMWindows Telemetry must not be configured to Full.V-253394LOWWindows Update must not obtain updates from other PCs on the internet.V-253395MEDIUMThe Microsoft Defender SmartScreen for Explorer must be enabled.V-253396MEDIUMExplorer Data Execution Prevention must be enabled.V-253397LOWFile Explorer heap termination on corruption must be disabled.V-253398MEDIUMFile Explorer shell protocol must run in protected mode.V-253399MEDIUMWindows 11 must be configured to disable Windows Game Recording and Broadcasting.V-253400MEDIUMThe use of a hardware security device with Windows Hello for Business must be enabled.V-253401MEDIUMWindows 11 must be configured to require a minimum pin length of six characters or greater.V-253402MEDIUMPasswords must not be saved in the Remote Desktop Client.V-253403MEDIUMLocal drives must be prevented from sharing with Remote Desktop Session Hosts.V-253404MEDIUMRemote Desktop Services must always prompt a client for passwords upon connection.V-253405MEDIUMThe Remote Desktop Session Host must require secure RPC communications.V-253406MEDIUMRemote Desktop Services must be configured with the client connection encryption set to the required level.V-253407MEDIUMAttachments must be prevented from being downloaded from RSS feeds.V-253408MEDIUMBasic authentication for RSS feeds over HTTP must not be used.V-253409MEDIUMIndexing of encrypted files must be turned off.V-253410MEDIUMUsers must be prevented from changing installation options.V-253411HIGHThe Windows Installer feature "Always install with elevated privileges" must be disabled.V-253412MEDIUMUsers must be notified if a web-based program attempts to install software.V-253413MEDIUMAutomatically signing in the last interactive user after a system-initiated restart must be disabled.V-253414MEDIUMPowerShell script block logging must be enabled on Windows 11.V-253415MEDIUMPowerShell Transcription must be enabled on Windows 11.V-253416HIGHThe Windows Remote Management (WinRM) client must not use Basic authentication.V-253417MEDIUMThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-253418HIGHThe Windows Remote Management (WinRM) service must not use Basic authentication.V-253419MEDIUMThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-253420MEDIUMThe Windows Remote Management (WinRM) service must not store RunAs credentials.V-253421MEDIUMThe Windows Remote Management (WinRM) client must not use Digest authentication.V-253422MEDIUMWindows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked.V-253423MEDIUMThe convenience PIN for Windows 11 must be disabled.V-253424MEDIUMWindows Ink Workspace must be configured to disallow access above the lock.V-253425LOWWindows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications.V-253426MEDIUMWindows 11 Kernel (Direct Memory Access) DMA Protection must be enabled.V-253427MEDIUMThe DoD Root CA certificates must be installed in the Trusted Root Store.V-253428MEDIUMThe External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.V-253429MEDIUMThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-253430MEDIUMThe US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-253431MEDIUMDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-253433MEDIUMThe built-in guest account must be disabled.V-253434MEDIUMLocal accounts with blank passwords must be restricted to prevent access from the network.V-253435MEDIUMThe built-in administrator account must be renamed.V-253436MEDIUMThe built-in guest account must be renamed.V-253437MEDIUMAudit policy using subcategories must be enabled.V-253438MEDIUMOutgoing secure channel traffic must be encrypted or signed.V-253439MEDIUMOutgoing secure channel traffic must be encrypted.V-253440MEDIUMOutgoing secure channel traffic must be signed.V-253441LOWThe computer account password must not be prevented from being reset.V-253442LOWThe maximum age for machine account passwords must be configured to 30 days or less.V-253443MEDIUMThe system must be configured to require a strong session key.V-253444MEDIUMThe machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.V-253445MEDIUMThe required legal notice must be configured to display before console logon.V-253446LOWThe Windows message title for the legal notice must be configured.V-253447LOWCaching of logon credentials must be limited.V-253448MEDIUMThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-253449MEDIUMThe Windows SMB client must be configured to always perform SMB packet signing.V-253450MEDIUMUnencrypted passwords must not be sent to third-party SMB Servers.V-253451MEDIUMThe Windows SMB server must be configured to always perform SMB packet signing.V-253452HIGHAnonymous SID/Name translation must not be allowed.V-253453HIGHAnonymous enumeration of SAM accounts must not be allowed.V-253454HIGHAnonymous enumeration of shares must be restricted.V-253455MEDIUMThe system must be configured to prevent anonymous users from having the same rights as the Everyone group.V-253456HIGHAnonymous access to Named Pipes and Shares must be restricted.V-253457MEDIUMRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.V-253458MEDIUMNTLM must be prevented from falling back to a Null session.V-253459MEDIUMPKU2U authentication using online identities must be prevented.V-253460MEDIUMKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-253461HIGHThe system must be configured to prevent the storage of the LAN Manager hash of passwords.V-253462HIGHThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.V-253463MEDIUMThe system must be configured to the required LDAP client signing level.V-253464MEDIUMThe system must be configured to meet the minimum session security requirement for NTLM SSP based clients.V-253465MEDIUMThe system must be configured to meet the minimum session security requirement for NTLM SSP based servers.V-253466MEDIUMThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-253467LOWThe default permissions of global system objects must be increased.V-253468MEDIUMUser Account Control approval mode for the built-in Administrator must be enabled.V-253469MEDIUMUser Account Control must prompt administrators for consent on the secure desktop.V-253470MEDIUMWindows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.V-253471MEDIUMUser Account Control must automatically deny elevation requests for standard users.V-253472MEDIUMUser Account Control must be configured to detect application installations and prompt for elevation.V-253473MEDIUMUser Account Control must only elevate UIAccess applications that are installed in secure locations.V-253474MEDIUMUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.V-253475MEDIUMUser Account Control must virtualize file and registry write failures to per-user locations.V-253476MEDIUMPasswords for enabled local Administrator accounts must be changed at least every 60 days.V-253477LOWToast notifications to the lock screen must be turned off.V-253478MEDIUMZone information must be preserved when saving attachments.V-253479MEDIUMThe "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.V-253480MEDIUMThe "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups.V-253481HIGHThe "Act as part of the operating system" user right must not be assigned to any groups or accounts.V-253482MEDIUMThe "Allow log on locally" user right must only be assigned to the Administrators and Users groups.V-253483MEDIUMThe "Back up files and directories" user right must only be assigned to the Administrators group.V-253484MEDIUMThe "Change the system time" user right must only be assigned to Administrators and Local Service.V-253485MEDIUMThe "Create a pagefile" user right must only be assigned to the Administrators group.V-253486HIGHThe "Create a token object" user right must not be assigned to any groups or accounts.V-253487MEDIUMThe "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-253488MEDIUMThe "Create permanent shared objects" user right must not be assigned to any groups or accounts.V-253489MEDIUMThe "Create symbolic links" user right must only be assigned to the Administrators group.V-253490HIGHThe "Debug programs" user right must only be assigned to the Administrators group.V-253491MEDIUMThe "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.V-253492MEDIUMThe "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.V-253493MEDIUMThe "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.V-253494MEDIUMThe "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.V-253495MEDIUMThe "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.V-253496MEDIUMThe "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.V-253497MEDIUMThe "Force shutdown from a remote system" user right must only be assigned to the Administrators group.V-253498MEDIUMThe "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-253499MEDIUMThe "Load and unload device drivers" user right must only be assigned to the Administrators group.V-253500MEDIUMThe "Lock pages in memory" user right must not be assigned to any groups or accounts.V-253501MEDIUMThe "Manage auditing and security log" user right must only be assigned to the Administrators group.V-253502MEDIUMThe "Modify firmware environment values" user right must only be assigned to the Administrators group.V-253503MEDIUMThe "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.V-253504MEDIUMThe "Profile single process" user right must only be assigned to the Administrators group.V-253505MEDIUMThe "Restore files and directories" user right must only be assigned to the Administrators group.V-253506MEDIUMThe "Take ownership of files or other objects" user right must only be assigned to the Administrators group.V-256893MEDIUMInternet Explorer must be disabled for Windows 11.V-257592MEDIUMWindows 11 must not have portproxy enabled or in use.V-257770MEDIUMWindows 11 must have command line process auditing events enabled for failures.V-268317MEDIUMCopilot must be disabled for Windows 11.V-268318MEDIUMWindows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.V-278926MEDIUMWindows 11 must be configured to audit file system failures.V-278927MEDIUMWindows 11 must be configured to audit file system successes.V-278928MEDIUMWindows 11 must be configured to audit handle manipulation failures.V-278929MEDIUMWindows 11 must be configured to audit handle manipulation successes.V-278930MEDIUMWindows 11 must be configured to audit registry failures.V-278931MEDIUMWindows 11 must be configured to audit registry successes.V-278932MEDIUMWindows 11 must be configured to audit sensitive privilege use successes.V-278933MEDIUMWindows 11 must be configured to audit sensitive privilege use failures.V-279688MEDIUMWindows 11 systems must block consumer account user authentication.