Merge pull request #89 from ansible-lockdown/devel

Windows 2022 Major CIS V4 Updates

Author: MrSteve81

.ansible-lint

@@ -5,5 +5,6 @@ quiet: true
 skip_list:
   - 'package-latest'
   - 'risky-shell-pipe'
+  - yaml[line-length]
 use_default_rules: true
 verbosity: 0

.github/workflows/benchmark_tracking_controller.yml

@@ -0,0 +1,52 @@
+# GitHub schedules all cron jobs in UTC.
+# ──────────────────────────────────────────────────────────────────────────────
+# Schedule:
+#   - '0 13 * * *' runs at 13:00 UTC every day.
+#   - This corresponds to:
+#       • 9:00 AM Eastern **during Daylight Saving Time** (mid-Mar → early-Nov)
+#       • 8:00 AM Eastern **during Standard Time** (early-Nov → mid-Mar)
+#
+# Job routing:
+#   - call-benchmark-tracker:
+#       • Runs on manual dispatch, and on pushes to the 'latest' branch.
+#   - call-monitor-promotions:
+#       • Runs on schedule or manual dispatch **only in repos named ansible-lockdown/Private-***.
+#       • Skips automatically in public repos (e.g., Windows-2022-CIS) to avoid false failures.
+#
+# Defense-in-depth:
+#   - The called promotion workflow may still keep its own guard to ensure only Private-* repos execute it.
+
+name: Central Benchmark Orchestrator
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 13 * * *'  # 13:00 UTC → 9 AM ET (DST) / 8 AM ET (Standard Time)
+  workflow_dispatch:
+
+jobs:
+  call-benchmark-tracker:
+    # Run on manual dispatch OR when 'latest' branch receives a push
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest')
+    name: Start Benchmark Tracker
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/benchmark_track.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+
+  call-monitor-promotions:
+    # Run on schedule or manual dispatch, but only for Private-* repos
+    if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && startsWith(github.repository, 'ansible-lockdown/Private-')
+    name: Monitor Promotions and Auto-Promote
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/benchmark_promote.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/devel_pipeline_validation.yml

@@ -31,9 +31,12 @@ jobs:
       - uses: actions/first-interaction@main
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          pr-message: |-
-            Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-            Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          issue_message: |-
+              Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          pr_message: |-
+              Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
   build-azure-windows:
     # Use the AWS self-hosted runner
@@ -60,7 +63,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -76,7 +79,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/devel_pipeline_validation_gpo.yml

@@ -31,9 +31,12 @@ jobs:
       - uses: actions/first-interaction@main
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          pr-message: |-
-            Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-            Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          issue_message: |-
+              Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          pr_message: |-
+              Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
   build-azure-windows-gpo:
     # Use the AWS self-hosted runner
@@ -60,7 +63,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -76,7 +79,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/main_pipeline_validation.yml

@@ -49,7 +49,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -65,7 +65,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/main_pipeline_validation_gpo.yml

@@ -49,7 +49,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -65,7 +65,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/update_galaxy.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout V4
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
 
       - name: Update Galaxy
         uses: ansible-actions/ansible-galaxy-action@main

ChangeLog.md

@@ -1,5 +1,106 @@
 # ChangeLog
 
+## Release 4.1.0
+
+April 2026
+  - Updated the cloud based system check for manual overrides. New variable now in the defualt main. Please read the comments for the new variable. 
+  - Updated 18.10.57.3.10.1 variable accept anything between 1 and 900000 in Hardening & GPO.
+  - Updated Section 2 GPO for win_skip_for_test controls. Read comments in default/main.
+  - Issues Addressed:
+    - [#2](https://github.com/ansible-lockdown/Windows-2025-CIS/issues/2) - Thanks @davidstanaway
+    - [#7](https://github.com/ansible-lockdown/Windows-2025-CIS/issues/7) - Thanks @R2J2 (Updated When Statement to take into account Bool now)
+    - [#86](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/86) - Thanks @git-cgallagher (Windows 2022 Issue Added Here To Update 2025)
+    - [#84](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/84) - Thanks @Randriy-bulynko (Windows 2022 Issue Added Here To Update 2025)
+    - [#87](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/87) - Thanks @Randriy-bulynko (Windows 2022 Issue Added Here To Update 2025)
+    - [#83](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/83) - Thanks @exu-g (Windows 2022 Issue Added Here To Update 2025)
+  - PR's Addressed:
+    - [#3](https://github.com/ansible-lockdown/Windows-2025-CIS/pull/3) - Thanks @MatthieuLeboeuf 
+
+September 2025
+  - Updated When For Control 18.4.6
+  - Updated Title 2.3.10.10
+  - Updated 2.3.6.5 Task
+  - PR's Addressed:
+    - [#79](https://github.com/ansible-lockdown/Windows-2022-CIS/pull/79/files) - Thanks @ShawnHardwick
+
+## Release 4.0.0
+
+June 2025
+  - This Release is based on CIS Benchmark v4.0.0
+  - Internal 90 Auto Promotion Workflows Added
+  - Fixed Tags  from _ to . in he control numbers to align with other controls.
+  - Issues Addressed:
+    - Fixed GPO 18.9.26.2 to enter the correct registry entry.
+  - CIS Control Changes Summary (v4.0.0 vs v3.0.0) - Please review them in the CIS documentation and adjust your playbooks.
+    - Removed
+      - 2.3.1.1: Accounts: Block Microsoft accounts removed; all controls in the section shifted up
+      - 18.4.2: Removed; all subsequent controls moved up
+      - 18.10.15.8: Removed in v4.0.0
+      - 18.10.42.17: Removed in v4.0.0
+    - Added
+      - 2.3.11.8: Network security: LDAP client encryption requirements
+      - 2.3.11.14: New control
+      - 2.3.17.2: Valid variable checking
+      - 18.4.6: Valid variable checking
+      - 18.6.4.4: IPV6 DNS Servers
+      - 18.6.7.1: Lanman Server SMB
+      - 18.6.8.2: Lanman Workstation Encryption
+      - 18.10.18.4: Malware Scan Override
+      - 18.10.18.6: MSS Certificate Validation Bypass
+      - 18.10.18.7: Windows Package Manager command line
+      - 18.10.29.2: Mark of the Web tag
+      - 18.10.43.4.1: Enable EDR in block mode
+      - 18.10.43.8.1: Convert warn verdict
+      - 18.10.43.10.1: Configure real-time protection during OOBE
+      - 18.10.43.11.1.1.1: Configure Brute-Force Protection aggressiveness
+      - 18.10.43.11.1.1.2: Configure Remote Encryption Protection Mode
+      - 18.10.43.11.1.2.1: Remote Encryption Protection blocks threats
+      - 18.10.43.13.1: Scan excluded files and directories
+      - 18.10.43.13.4: Trigger a quick scan after X days
+      - 18.10.43.17: Control whether exclusions are visible to local users
+      - 18.10.58.2: Enable Basic feed authentication over HTTP
+    - Updated
+      - 2.2.38: Title updated in Remediate and GPO
+      - 18.6.4.1: Replaced in v4.0.0
+      - 18.7.2, 18.7.3, 18.7.5: Title updates
+      - 18.9.13.1, 18.9.19.2: Title updates
+      - 18.10.18.1: Level changed to Level 2
+      - 18.10.28.2 → 18.10.29.3: Moved due to new 18.10.29.2
+      - 18.10.42.6.1: Removed One of the ASR's
+    - Renumbered / Moved
+      - 18.10.5.1 → 18.10.6.1
+      - 18.10.7.1–3 → 18.10.8.1–3
+      - 18.10.8.1.1 → 18.10.9.1.1
+      - 18.10.10.1 → 18.10.11.1
+      - 18.10.12.1–3 → 18.10.13.1–3
+      - 18.10.13.1 → 18.10.14.1
+      - 18.10.14.1–2 → 18.10.15.1–2
+      - 18.10.15.1–7 → 18.10.16.1–7
+      - 18.10.17.x → 18.10.18.x
+      - 18.10.25.x.x → 18.10.26.x.x
+      - 18.10.36.x → 18.10.37.x
+      - 18.10.40.x → 18.10.41.x
+      - 18.10.41.x → 18.10.42.x
+      - 18.10.42.5.x → 18.10.43.5.x
+      - 18.10.42.x.x.x → 18.10.43.x.x.x
+      - 18.10.50.x → 18.10.51.x
+      - 18.10.55.x → 18.10.56.x
+      - 18.10.56.x → 18.10.57.x
+      - 18.10.57.x → 18.10.58.x
+      - 18.10.58.x → 18.10.59.x
+      - 18.10.62.x → 18.10.63.x
+      - 18.10.75.x.x → 18.10.76.x.x
+      - 18.10.79.x → 18.10.80.x
+      - 18.10.80.x → 18.10.81.x
+      - 18.10.86.x → 18.10.87.x
+      - 18.10.88.x.x → 18.10.89.x.x
+      - 18.10.89.x → 18.10.90.x
+      - 18.10.91.x.x → 18.10.92.x.x
+      - 18.10.92.x.x → 18.10.93.x.x
+    - Structural Changes
+      - Section 17: Credential Validation auditing now uses the GUID {0CCE923F-69AE-11D9-BED3-505054503030}
+        - This makes auditing language-agnostic and more consistent across regional builds.
+
 ## Release 3.0.5
 September 2025 Update
 - Issues Addressed:
@@ -11,7 +112,6 @@ May 2025 Update #2
   - Issues Addressed:
     - Fixed 1.1.6 to apply to all systems except for Domain Controllers. This is present in standalone version. - Thanks @mfortin
     - Re-Verified 18.10.79.2 Paths
-    - Fixed 18.9.26.2 GPO Registry Entry
 
 ## Release 3.0.3
 
@@ -20,7 +120,7 @@ May 2025 Update
     - Fixed Control 18.6.14.1 For Missing RequirePrivacy=1 in Ansible Hardening. - Thanks @mfortin
     - Updated 18.10.56.3.10.2 value to 60000 from 6000 in remediate and GPO - Thanks @mfortin
     - Verified 18.10.79.2 Path In Remediate - Thanks @mfortin
-    - Updated 18.10.92.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
+    - Updated 18.10.93.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
     - Updated Pipelines Branches Trigger
     - Updated Readme with New Badges
 

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a Microsoft Server 2022 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
 
-### Based on [ CIS Microsoft Windows Server 2022 v3.0.0 - 03-19-2024 ](https://www.cisecurity.org/cis-benchmarks/)
+### Based on [ CIS Microsoft Windows Server 2022 v4.0.0 - 05-23-2025 ](https://www.cisecurity.org/cis-benchmarks/)
 
 ---