Release notes for Windows
Review the release notes to learn about updates and resolved issues in Security Compliance Enforcement (SCE) for Windows. You can also review the Known issues and limitations.
v2.0.0
Released 7 May 2024
In this release, the Compliance Enforcement Modules are renamed to Security Compliance Enforcement (SCE). The new name highlights the capability to enforce secure configurations for IT infrastructures based on internationally recognized standards. In addition, SCE is now compatible with the latest versions of all Puppet module dependencies.
New features and enhancements
- As part of the name change, the module is now available on Puppet Forge under the following name: sce_windows. If you have an active subscription to the Compliance Enforcement Modules (CEM), you are automatically granted access to the SCE modules. CEM modules remain on Puppet Forge in a deprecated state for subscribers who want to continue using CEM for the time being, and CEM documentation remains available at Introducing the Compliance Enforcement Modules.
- In the documentation, configuration examples are updated to replace cem_windows with sce_windows. See Configuring SCE.
-
To take advantage of fixes and improvements in Puppet modules, SCE for Windows now supports the latest versions of its Puppet module dependencies:
-
puppetlabs-stdlib: ≥ 6.0.0 < 10.0.0 (except for 9.0.x, 9.1.x, and 9.2.x, which are not supported)
-
puppetlabs-registry
: ≥ 3.2.0 < 6.0.0 -
dsc-networkingdsc
: ≥ 8.1.0-0-1 < 10.0.0 -
dsc-auditpolicydsc
: ≥ 1.4.0-0-4 < 2.0.0 -
dsc-securitypolicydsc
: ≥ 2.10.0-0-3 < 3.0.0 -
puppetlabs-pwshlib
: 0.9.0 < 2.0.0 -
puppetlabs-powershell
: ≥ 5.0.0 < 7.0.0To help avoid operational issues, do not use earlier module versions.
-
v1.5.2
Released 19 March 2024
CEM for Windows v1.5.2
introduces updates to enhance protection of Windows Server systems. Default values were changed for three Center for Internet Security
(CIS) controls, thus helping to ensure that the controls will be correctly enforced
to protect the winreg
registry key and internal
system objects.
Resolved issues
- For Windows Server 2016, 2019, and 2022, the
implementation of CIS Controls 2.3.10.8 and 2.3.10.9 was corrected. For both
controls, the default value of the
value
parameter was changed toMachine
. By enforcing these controls, you can help to prevent attackers from accessing sensitive configuration data in thewinreg
registry key. - For Windows Server 2016, 2019, and 2022, the
implementation of CIS Control 2.3.15.2 was updated to specify the correct
path for the
path
parameter. By enforcing this control, you can help to prevent unauthorized users from modifying internal system objects. - A default value was changed to help ensure that CIS Control 18.6.4.1 can be
enforced without disrupting operations on Windows Server 2022 systems. CIS Control
18.6.4.1 enforces Domain Name System resolution over HTTPS (DoH) to help
protect systems against spoofing and man-in-the-middle attacks. Previously,
the default setting of
Enabled: Require DoH
could prevent agent nodes from reporting to the Puppet primary server. To resolve the issue, the setting was changed toEnabled: Allow DoH
to ensure that DoH is allowed but not required.
v1.5.1
Released 6 October 2023
- Changed
- Introduced a change that is designed to simplify CEM for Windows configuration. In previous
releases, CEM for Windows was configured to ignore
controls related to the renaming of Administrator and Guest
accounts. This configuration was designed to avoid rare cases in
which the control settings could cause Puppet run failures. As a result of this default behavior, users who wanted to enable the controls had to specify an ignore list that did not include the controls. Specifying the controls in an only list was not helpful because the ignore list overrode the only list. To resolve this issue, the
default setting of the
ignore list
was changed to empty.
- Introduced a change that is designed to simplify CEM for Windows configuration. In previous
releases, CEM for Windows was configured to ignore
controls related to the renaming of Administrator and Guest
accounts. This configuration was designed to avoid rare cases in
which the control settings could cause Puppet run failures. As a result of this default behavior, users who wanted to enable the controls had to specify an ignore list that did not include the controls. Specifying the controls in an only list was not helpful because the ignore list overrode the only list. To resolve this issue, the
default setting of the
- Fixed
- Fixed an issue that prevented some user-specified configuration options from being applied. The issue affected only some parameters on some controls.
v1.5.0
Released 22 August 2023
- Changed
- This release includes updates that are designed to enhance security
on Microsoft Windows 10 Enterprise, Windows Server 2019, and Windows Server 2016 operating systems:
- For users of the Microsoft Windows 10 Enterprise operating system, the Center for Internet Security (CIS) Benchmark was upgraded from v1.12.0 to v2.0.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows 10 Enterprise Benchmark v2.0.0.
- For users of the Windows Server 2019 operating system, the CIS Benchmark was upgraded from v1.3.0 to v2.0.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows Server 2019 Benchmark v2.0.0.
- For users of the Windows Server 2016 operating system, the CIS Benchmark was upgraded from v1.4.0 to v2.0.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v2.0.0.
- The documentation now provides more detailed upgrade instructions, including preparation steps that you can take to help ensure a smooth upgrade. See Upgrading SCE.
- This release includes updates that are designed to enhance security
on Microsoft Windows 10 Enterprise, Windows Server 2019, and Windows Server 2016 operating systems:
- Fixed
- Fixed an issue related to the
cem_domain_controller
fact, which was incorrectly reporting a value offalse
in all instances. Now, thecem_domain_controller
fact correctly reports a value oftrue
when the module runs on a domain controller.
- Fixed an issue related to the
v1.4.0
Released 27 June 2023
- Added
- Enforcement of the Center for Internet Security (CIS) Microsoft Windows Server 2022 Benchmark v2.0.0.
- Changed
cem_windows
no longer supports the use of legacy configuration as of this update. Legacy configuration refers to configurations ofcem_windows
used prior to the release of v1.1.0.cem_windows
is no longer compatible with configurations that were used before v1.1.0. Please update any legacy configuration to the current standard of configuringcem_windows
.
v1.3.0
Released 15 December 2022
This release includes updates for users of the Microsoft Windows Server 2016 operating system. With this release, users can enforce Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v1.4.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v1.4.0.
v1.2.3
Released 25 October 2022
- Added
- Added a Puppet Bolt task,
cem_delete_securitypolicy_inf
, to use for error resolution. The Puppet Bolt task resolves a corruption error that can affect the temporary file that is used by Desired State Configuration (DSC) to manage the local security policy:- The error is indicated by the following message in the Puppet run log:
Index operation failed; the array index evaluated to null
- To resolve the error, run the
cem_delete_securitypolicy_inf
task and re-run Puppet on the affected node.
- The error is indicated by the following message in the Puppet run log:
- Added a Puppet Bolt task,
- Changed
- The product documentation was revised to improve usability and retrievability:
- The change log was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The change log was renamed to release notes.
- The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The topics are now available on Puppet Docs.
- The Reference and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
- The product documentation was revised to improve usability and retrievability:
- Fixed
- Fixed an error that prevented catalog retrieval from Puppet Enterprise (PE) during Continuous Delivery pipeline runs. This error
occurred when the impact analysis tool was used to set up a
temporary environment, which was then deleted. The
_FILE_
variable continued to point to the deleted environment. As a result, the Puppet run returned an error message:Could not retrieve catalog from remote server
.
- Fixed an error that prevented catalog retrieval from Puppet Enterprise (PE) during Continuous Delivery pipeline runs. This error
occurred when the impact analysis tool was used to set up a
temporary environment, which was then deleted. The
v1.2.2
Released 10 August 2022
Fixed
- Fixed typos in Microsoft Windows firewall logging paths managed by the
following controls:
- CIS Windows 10
- 9.1.5
- 9.2.5
- 9.3.7
- CIS Windows Server 2016
- 9.1.5
- 9.2.5
- 9.3.7
- CIS Windows Server 2019
- 9.1.5
- 9.2.5
- 9.3.7
- CIS Windows 10
- Fixed an issue that could cause the following controls to not be enforced:
- CIS Windows 10
- 18.9.17.2
- 18.9.64.1
- 18.9.65.3.10.1
- 18.9.65.3.10.2
- 18.9.65.3.2.1
- 18.9.72.1
- 18.9.75.1
- 18.9.103.1
- CIS Windows Server 2016
- 18.9.45.10.1
- CIS Windows Server 2019
- 18.9.41.1
- 18.9.45.1
- 18.9.47.11.1
- 18.9.65.3.10.1
- 18.9.65.3.10.2
- 18.9.65.3.2.1
- 18.9.65.3.3.1
- 18.9.65.3.3.3
- 18.9.65.3.3.4
- 18.9.67.2
- 18.9.72.1
- 18.9.89.1
- 18.9.90.3
- 18.9.102.2.2
- 18.9.103.1
- 18.9.47.5.1.2
- CIS Windows 10
v1.2.1
Released 31 May 2022
Fixed
- Fixed a bug related to profile configuration on Microsoft Windows 10 nodes.
v1.2.0
Released 24 May 2022
- Changed
- Updated the Center for Internet Security (CIS) Windows Server 2019 Benchmark to version 1.3.0.
- Fixed
- Resolved issues leading to scan failures for the following CIS
controls on Windows Server 2019:
- 9.3.7
- 9.2.5
- 9.1.5
- 18.9.108.4.1
- 18.9.65.3.9.1
- 18.8.3.1
- 18.8.21.5
- 18.5.21.1
- 18.4.x
- 18.2.1
- Resolved issues leading to scan failures for the following CIS
controls on Windows Server 2019:
v1.1.2
Released 12 May 2022
- Changed
- Updated the minimum required version of the
dsc/auditpolicydsc
module to1.4.0-0-4
. That dependency contains bug fixes and features required bycem_windows
. Update your Puppetfile accordingly.
- Updated the minimum required version of the
- Fixed
- Updated the default value for the Windows Attack Surface Reduction
(ASR) rules to
Audit
instead ofBlock
.- While the value of
Audit
is not CIS-compliant, setting the ASR rules toBlock
prevented the Puppet agent from successfully configuring the node. - If you see Puppet run errors
like
Could not evaluate: undefined method []' for nil:NilClass
when enforcing CEM, manually set the Windows ASR rules toAudit
. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
- While the value of
- Fixed an issue that applied more controls to a node than required by the configured profile and level.
- Fixed an issue that caused controls that should be ignored to be applied. This issue occurred when the controls were mapped to a parameter of a resource that was not ignored.
- Fixed several issues related to configuration backward-compatibility.
Upgrade requirement: To ensure that the updates in this release take effect, you might have to restart thepe-puppetserver
service on your Puppet primary server after Code Manager deploys the new code. - Updated the default value for the Windows Attack Surface Reduction
(ASR) rules to
v1.1.1
Released 7 April 2022
- Changed
- Improved the display of controls in the Reference on Puppet Forge.
- Fixed
- Fixed several instances in which configurations from versions previous to v1.1.0 were not recognized. The v1.1.1 configuration is backward compatible with versions prior to v1.1.0.
- Fixed an issue that required the
cem_windows
module to exist in the same environment as the Puppet primary server. You can now deploy the module to a different environment than your primary server. The module will be operational. - Fixed incorrect Puppet Strings in the
init.pp
file.
v1.1.0
Released 24 March 2022
- Added
- The documentation was updated to list the controls that will be
reported as failed or unknown in Puppet Comply after
cem_windows
is applied.A failed or unknown status is reported because the CIS-CAT Pro Assessor looks for registry keys that are configured by Microsoft Group Policy Objects rather than keys that are set locally by thecem_windows
user. The CIS Windows benchmarks are designed to work only for domain-joined systems. At the time of the v1.1.0 release, CIS was working on Windows benchmarks for a standalone system to resolve the issue.
- The documentation was updated to list the controls that will be
reported as failed or unknown in Puppet Comply after
- Changed
- Updated the CIS Windows 10 Benchmark to v1.12.0 to match the latest benchmark version released with Comply 2.4.0.
- The
cem_windows
module was updated to implement a new architecture. The new architecture, applied in the background, provides more flexibility for system configuration.
v1.0.7
Released 16 December 2021
- Removed
- Removed unnecessary resource defaults in two Windows Server 2016 control classes.
v1.0.6
Released 16 December 2021
- Removed
- Removed unnecessary resource defaults in Windows Server 2016 control classes.
v1.0.5
Released 8 December 2021
- Fixed
- Fixed non-idempotent Desired State Configuration (DSC) resources.
- Fixed the registry key for Windows 10 CIS control 1.1.6. Now, this control will be properly configured.
v1.0.4
Released 7 December 2021
- Added
- In the readme file, added a link to premium content installation instructions.
- Fixed
- Fixed an issue that caused values for the
dsc_accountpolicy
parameter to be set incorrectly.
- Fixed an issue that caused values for the
v1.0.3
Released 13 October 2021
- Fixed
- Fixed the default value for CIS control 2.3.1.1 to align with the expected value provided by CIS.
- Fixed the
cem_windows::allow_local_account_rdp
parameter so that it works as intended.
v1.0.2
Released 11 October 2021
- Fixed
- Fixed firewall profiles to align with the CIS specification.
v1.0.1
Released 30 September 2021
-
Fixed
-
Fixed the Windows 10 Hiera name to ensure that Windows 10 can be used. For more information about Hiera, see Configure settings with Hiera.
-
Known issues and limitations
The current release includes known issues and limitations. In most cases, workarounds are provided.
- A registry key override can occur when duplicate normalized names are used to specify CIS controls. The issue occurs because the normalized control names for two authentication settings related to Windows Remote Management (WinRM) are identical. The normalized control names are the same for both the client (18.9.102.1.1) and service (18.9.102.2.1) controls. The workaround is to configure the controls with the control numbers (18.9.102.1.1 and 18.9.102.2.1) or the normalized control numbers (c18_9_102_1_1 and c18_9_102_2_1). This issue occurs only in Windows Enterprise 10 environments.
- In a Windows Server 2016 or 2019 environment, a
scan failure is reported for CIS Control 2.3.10.12. The failure affects the
following control: 2.3.10.12, (L1) Ensure 'Network access: Shares that can be
accessed anonymously' is set to 'None.' This control is enforced correctly but fails
Security Compliance Management scans. The scans detect the backing
registry value, type
REG_MULTI_SZ
. The expected value is a blank item as the first line in a multiline string. However, the Puppet module that manages registry settings does not permit the use of blank values. As a workaround, no value is set for the backing registry. A blank value and no value are functionally equivalent, resulting in the same configuration. For this reason, you can ignore the reported scan failure. - The Center for Internet Security (CIS) Control 18.2.1, 'Ensure LAPS AdmPwd GPO Extension / CSE is installed,' is not enforced. Control 18.2.1 requires downloading and installing the Local Administrator Password Solution (LAPS) client from the Microsoft website. Because SCE for Windows does not support third-party Windows package managers, this software cannot be installed. In addition, the CIS scanner scans only for the presence of the LAPS client .dll file but does not confirm that LAPS is configured or functional at the domain level.
-
You might see a scan failure and an error message such as Could not evaluate: undefined method... for Windows Attack Surface Reduction (ASR) rules. The scan failure occurs if you set the ASR rule to Block, as recommended by CIS guidelines. However, in that case, the Puppet agent cannot successfully configure the node. For this reason, use the default value of Audit and ignore the error message.
- Some controls can fail scans. During a Security Compliance Management
scan, you might see error messages about CIS recommended guidelines that are not
enforced. These error messages are triggered by bugs in the Security Compliance Management console. SCE correctly enforces these settings. The following
controls are affected:
1.1.5
- Windows Server 2016 and Windows Server 20191.1.6
- Windows Server 2016 and Windows Server 20192.3.10.7
- Windows Server 201618.2.1
- Windows Server 201918.4.1
- Windows Server 2016 and Windows Server 201918.4.8
- Windows Server 201618.4.9
- Windows Server 2016 and Windows Server 201918.4.12
- Windows Server 201618.8.21.5
- Windows Server 201618.9.47.5.1.2
- Windows Server 201918.9.62.3.9.1
- Windows Server 2016
- Puppet runs are not idempotent. If you see Desired State Configuration (DSC)
resources showing corrective changes in a Puppet run,
for example,
Unknown feature "custom_isync"
, you are running an incompatible version of Puppet. SCE for Windows requires that Puppet agents at the version 7 level must be v7.8.0 or later. You can also use any level of Puppet 8. - If the Puppet agent fails to upgrade when you use
the
puppetlabs/puppet_agent
module, restart the computer or virtual machine where the Puppet agent is running to help ensure that updates are applied. - If you use remote desktop protocol (RDP) to access nodes, users who are members
of the groups
Guests
and local accounts will not be able to log in by default. To provide access to these groups, set thesce_windows::allow_local_account_rdp
parameter totrue
. - If non-admin users cannot log in to nodes, the issue might be related to event
logs. By default, Windows Event Log does not
clear events. When the event log of a node is full, only administrators can log in.
To clear the event logs manually, find the specific recommendation in your
compliance framework and configure the setting. In the Windows registry, locate the following
key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application:Retention
Then, set theRetention
value to 0. - You cannot disable Windows Remote Management (WinRM). The WinRM service is required for the DSC modules and cannot be disabled.