{
  "id": 1,
  "benchmarkId": "Windows_11_STIG",
  "slug": "microsoft_windows_11_20241015",
  "stigSlug": "microsoft-windows-11-security-technical-implementation-guide",
  "versionStatus": "historical",
  "status": "accepted",
  "statusDate": "2024-10-15T00:00:00.000Z",
  "title": "Microsoft Windows 11 Security Technical Implementation Guide",
  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents.",
  "version": "V1R5",
  "vendor": null,
  "createdAt": "2025-10-19T17:48:26.327Z",
  "updatedAt": "2026-04-25T11:34:40.388Z",
  "groups": [
    {
      "id": 1,
      "benchmarkId": 1,
      "groupId": "V-253270",
      "title": "SRG-OS-000032",
      "description": "Windows 11 systems must have Logon/Logoff auditing configured.",
      "ruleId": "SV-253270r829053_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "WN11-AU-000070",
      "ruleTitle": "Windows 11 must be configured to audit Logon/Logoff - Logon successes.",
      "ruleVulnDiscussion": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nLogon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000172",
      "ruleFixText": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Success\" selected.",
      "ruleFixId": "F-56687r829052_fix",
      "ruleCheckSystem": "C-56688r829051_chk",
      "ruleCheckContent": "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN11-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\n\nOpen an elevated \"Command Prompt\" (run as administrator).\n\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following:\n\nLogon/Logoff >> Logon - Success\n\nIf the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Logon - Success",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    },
    {
      "id": 2,
      "benchmarkId": 1,
      "groupId": "V-253271",
      "title": "SRG-OS-000480",
      "description": "Windows 11 systems must have UEFI firmware and be configured to run in UEFI mode.",
      "ruleId": "SV-253271r877392_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "WN11-00-000005",
      "ruleTitle": "Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode.",
      "ruleVulnDiscussion": "UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required for Windows 11. Systems with UEFI firmware must be configured to run in UEFI mode to support Secure Boot.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleFixText": "Configure Windows 11 systems with UEFI firmware to run in UEFI mode.\n\nRefer to system documentation for configuration details.",
      "ruleFixId": "F-56688r819635_fix",
      "ruleCheckSystem": "C-56689r819634_chk",
      "ruleCheckContent": "Some hardware may not have UEFI firmware or may not support Secure Boot. Verify with the system vendor.\n\nRun \"System Information\".\n\nUnder \"System Summary\", if \"BIOS Mode\" does not display \"UEFI\", this is a finding.",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    },
    {
      "id": 3,
      "benchmarkId": 1,
      "groupId": "V-253272",
      "title": "SRG-OS-000480",
      "description": "Windows 11 must have Secure Boot enabled.",
      "ruleId": "SV-253272r877393_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "WN11-00-000010",
      "ruleTitle": "Windows 11 must have Secure Boot enabled.",
      "ruleVulnDiscussion": "Secure Boot is a security standard that ensures systems boot using only software that is trusted. This prevents rootkits and other malware from loading during the boot process.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleFixText": "Enable Secure Boot in the system firmware.\n\nRefer to system documentation for configuration details.",
      "ruleFixId": "F-56689r819638_fix",
      "ruleCheckSystem": "C-56690r819637_chk",
      "ruleCheckContent": "Some hardware may not support Secure Boot. Verify with the system vendor.\n\nRun \"System Information\".\n\nUnder \"System Summary\", if \"Secure Boot State\" does not display \"On\", this is a finding.",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    },
    {
      "id": 4,
      "benchmarkId": 1,
      "groupId": "V-253273",
      "title": "SRG-OS-000370",
      "description": "Windows 11 must employ a deny-all, permit-by-exception policy.",
      "ruleId": "SV-253273r828637_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "WN11-00-000025",
      "ruleTitle": "Windows 11 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.",
      "ruleVulnDiscussion": "Utilizing a whitelist approach allows only authorized software programs to execute. This prevents malware and unauthorized software from executing.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001764",
      "ruleFixText": "Configure Windows 11 to use Windows Defender Application Control (WDAC) to allow only approved applications to execute.\n\nRefer to Windows Defender Application Control documentation for configuration details.",
      "ruleFixId": "F-56690r828636_fix",
      "ruleCheckSystem": "C-56691r828635_chk",
      "ruleCheckContent": "Verify Windows Defender Application Control (WDAC) is implemented to allow only approved applications to execute.\n\nIf WDAC is not implemented, this is a finding.",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    },
    {
      "id": 5,
      "benchmarkId": 1,
      "groupId": "V-253274",
      "title": "SRG-OS-000480",
      "description": "Windows 11 must have Virtualization-based Security enabled.",
      "ruleId": "SV-253274r877394_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "low",
      "ruleVersion": "WN11-00-000030",
      "ruleTitle": "Windows 11 must have Virtualization-based Security enabled.",
      "ruleVulnDiscussion": "Virtualization-based Security (VBS) provides the platform for the many security features available in Windows 11. VBS uses the hypervisor to support security services on the system.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleFixText": "Enable Virtualization-based Security.\n\nRefer to system documentation for configuration details.",
      "ruleFixId": "F-56691r819641_fix",
      "ruleCheckSystem": "C-56692r819640_chk",
      "ruleCheckContent": "Some hardware may not support Virtualization-based Security. Verify with the system vendor.\n\nRun \"System Information\".\n\nUnder \"System Summary\", if \"Virtualization-based Security\" does not display \"Running\", this is a finding.",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    }
  ],
  "profiles": [
    {
      "id": 1,
      "benchmarkId": 1,
      "profileId": "MAC-1_Classified",
      "title": "I - Mission Critical Classified",
      "description": "Mission Critical - Classified",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    },
    {
      "id": 2,
      "benchmarkId": 1,
      "profileId": "MAC-1_Public",
      "title": "I - Mission Critical Public",
      "description": "Mission Critical - Public",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    },
    {
      "id": 3,
      "benchmarkId": 1,
      "profileId": "MAC-1_Sensitive",
      "title": "I - Mission Critical Sensitive",
      "description": "Mission Critical - Sensitive",
      "createdAt": "2025-10-19T17:48:26.327Z",
      "updatedAt": "2025-10-19T17:48:26.327Z"
    }
  ]
}