CIS 3.0.0 L1
      Back to home
      1. Help Center
      2. CIS 3.0.0 L1

      CIS 3.0.0 Controls Removed from the Baseline

      Overview

      Below are the controls and recommendations we are not deploying as part of CIS 3.0 or we're deploying with a different value.

      We will list the control, rational, impact, and why we've decided against it:

      Controls

      Control Number Setting Recommended Value Rational Impact Comment
      18.9.28.2 Do not display network selection UI Enabled An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. The PC's network connectivity state cannot be changed without signing into Windows. This setting has been removed as the user cannot connect to a new wireless network connection at the logon screen where it becomes a problem with pre-provisioning.
      2.3.17.3 User Account Control: Behavior of the elevation prompt for standard users Automatically deny elevation requests One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run. When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. This setting has been removed as the user does not get prompted to enter in the LAPS password when trying to install applications.
      18.10.17.1 Enable App Installer Disabled Windows Package Manager is a command line tool can be used to discover, install, upgrade, remove and configure applications, and it can be used as a distribution channel for software packages containing tools and applications. Users should not have access to these types of development tools. Users will not have access to the command line tool, `winget` to discover, install, upgrade, remove, configure, or distribute applications. This setting has been removed from the baseline as it breaks Microsoft Store Apps during the ESP provisioning.
      18.10.15.3 Disable OneSettings Downloads Enabled Sending data to a third-party vendor is a security concern and should only be done on an as-needed basis. Windows will not connect to the OneSettings service to download configuration settings. This setting has been removed from the baseline as this breaks Devicie's telemetry reporting on the Dashboard.