Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268318 | WN11-CC-000063 | SV-268318r1135322_rule | CCI-000366 | medium |
| Description | ||||
| Without Windows 11 systems being managed, devices could be rogue and become targets of an attacker. | ||||
| STIG | Date | |||
| Microsoft Windows 11 Security Technical Implementation Guide | 2026-02-12 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V2R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V2R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V2R7 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V2R7 · disa_xccdf · related
Details
Check Text (C-268318r1135322_chk)
Verify the Windows 11 system is receiving policy from either group Policy or an MDM with the following steps:
From a command line or PowerShell:
gpresult /R
OS Configuration: Member Workstation
If the system is not being managed by GPO, ask the administrator to indicate which MDM is managing the device.
From PowerShell: Get-Service -Name "IntuneManagementExtension"
If the Windows 11 system is not receiving policy from either group Policy or an MDM, this is a finding.
This is NA for standalone, nondomain-joined systems.
Fix Text (F-72242r1028259_fix)
Configure the Windows 11 system to use either Group Policy or an approved MDM product to enforce STIG compliance.