Release notes for Windows

Review the release notes to learn about updates and resolved issues in Security Compliance Enforcement (SCE) for Windows. You can also review the Known issues and limitations.

To take advantage of new features and resolved issues, install the latest module version. Only the latest version is supported.

v2.2.0

Released 9 December 2025

With SCE for Windows v2.2.0, you can now enforce Center for Internet Security (CIS) controls on the Windows Server 2025 operating system.

New features and enhancements

SCE for Windows now supports the CIS Microsoft Server 2025 Benchmark v1.0.0, Server Level 1.

v2.1.0

Released 25 February 2025

With SCE for Windows v2.1.0, you can enhance the security of your infrastructure by enforcing updated Center for Internet Security (CIS) Benchmarks.

New features and enhancements

SCE for Windows now supports the following CIS Benchmarks:

  • CIS Microsoft Server 2022, v3.0.0, Member Server, Level 1.

  • CIS Microsoft Server 2019, v3.0.0, Member Server, Level 1.

  • CIS Microsoft Server 2016, v3.0.0, Member Server, Level 1.

  • CIS Microsoft Windows 10 Enterprise, v3.0.0, Corporate Enterprise, Level 1.

For a detailed list of updates implemented to enforce the CIS controls, see Reference: Benchmarks and controls.

v2.0.0

Released 7 May 2024

In this release, the Compliance Enforcement Modules are renamed to Security Compliance Enforcement (SCE). The new name highlights the capability to enforce secure configurations for IT infrastructures based on internationally recognized standards. In addition, SCE is now compatible with the latest versions of all Puppet module dependencies.

If you plan to upgrade to v2.0.0, review the updated instructions in Upgrading SCE and Configuring SCE.

New features and enhancements

  • As part of the name change, the module is now available on Puppet Forge under the following name: sce_windows. If you have an active subscription to the Compliance Enforcement Modules (CEM), you are automatically granted access to the SCE modules.
    CEM modules remain on Puppet Forge in a deprecated state for subscribers who want to continue using CEM for the time being, and CEM documentation remains available at Introducing the Compliance Enforcement Modules.
  • In the documentation, configuration examples are updated to replace cem_windows with sce_windows. See Configuring SCE.

  • To take advantage of fixes and improvements in Puppet modules, SCE for Windows now supports the latest versions of its Puppet module dependencies:

    • puppetlabs-stdlib: ≥ 6.0.0 < 10.0.0 (except for 9.0.x, 9.1.x, and 9.2.x, which are not supported)

    • puppetlabs-registry: ≥ 3.2.0 < 6.0.0

    • dsc-networkingdsc: ≥ 8.1.0-0-1 < 10.0.0

    • dsc-auditpolicydsc: ≥ 1.4.0-0-4 < 2.0.0

    • dsc-securitypolicydsc: ≥ 2.10.0-0-3 < 3.0.0

    • puppetlabs-pwshlib: 0.9.0 < 2.0.0

    • puppetlabs-powershell: ≥ 5.0.0 < 7.0.0

      To help avoid operational issues, do not use earlier module versions.

v1.5.2

Released 19 March 2024

CEM for Windows v1.5.2 introduces updates to enhance protection of Windows Server systems. Default values were changed for three Center for Internet Security (CIS) controls, thus helping to ensure that the controls will be correctly enforced to protect the winreg registry key and internal system objects.

Resolved issues

  • For Windows Server 2016, 2019, and 2022, the implementation of CIS Controls 2.3.10.8 and 2.3.10.9 was corrected. For both controls, the default value of the value parameter was changed to Machine. By enforcing these controls, you can help to prevent attackers from accessing sensitive configuration data in the winreg registry key.
  • For Windows Server 2016, 2019, and 2022, the implementation of CIS Control 2.3.15.2 was updated to specify the correct path for the path parameter. By enforcing this control, you can help to prevent unauthorized users from modifying internal system objects.
  • A default value was changed to help ensure that CIS Control 18.6.4.1 can be enforced without disrupting operations on Windows Server 2022 systems. CIS Control 18.6.4.1 enforces Domain Name System resolution over HTTPS (DoH) to help protect systems against spoofing and man-in-the-middle attacks. Previously, the default setting of Enabled: Require DoH could prevent agent nodes from reporting to the Puppet primary server. To resolve the issue, the setting was changed to Enabled: Allow DoH to ensure that DoH is allowed but not required.

v1.5.1

Released 6 October 2023

New features and enhancements

  • Introduced a change that is designed to simplify CEM for Windows configuration. In previous releases, CEM for Windows was configured to ignore controls related to the renaming of Administrator and Guest accounts. This configuration was designed to avoid rare cases in which the control settings could cause Puppet run failures. As a result of this default behavior, users who wanted to enable the controls had to specify an ignore list that did not include the controls. Specifying the controls in an only list was not helpful because the ignore list overrode the only list. To resolve this issue, the default setting of the ignore list was changed to empty.

Resolved issue

  • Fixed an issue that prevented some user-specified configuration options from being applied. The issue affected only some parameters on some controls.

v1.5.0

Released 22 August 2023

New features and enhancements

Resolved issue

  • Fixed an issue related to the cem_domain_controller fact, which was incorrectly reporting a value of false in all instances. Now, the cem_domain_controller fact correctly reports a value of true when the module runs on a domain controller.

v1.4.0

Released 27 June 2023

New features and enhancements

  • Support is introduced for the Center for Internet Security (CIS) Microsoft Windows Server 2022 Benchmark v2.0.0.

Deprecations

  • cem_windows no longer supports the use of legacy configuration as of this update. Legacy configuration refers to configurations of cem_windows used prior to the release of v1.1.0. cem_windows is no longer compatible with configurations that were used before v1.1.0. Please update any legacy configuration to the current standard of configuring cem_windows.

v1.3.0

Released 15 December 2022

New features and enhancements

This release includes updates for users of the Microsoft Windows Server 2016 operating system. With this release, users can enforce Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v1.4.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v1.4.0.

v1.2.3

Released 25 October 2022

New features and enhancements

  • Added a Puppet Bolt task, cem_delete_securitypolicy_inf, to use for error resolution. The Puppet Bolt task resolves a corruption error that can affect the temporary file that is used by Desired State Configuration (DSC) to manage the local security policy:
    • The error is indicated by the following message in the Puppet run log: 
      Index operation failed; the array index evaluated to null
    • To resolve the error, run the cem_delete_securitypolicy_inf task and re-run Puppet on the affected node.
  • The product documentation was revised to improve usability and retrievability:
    • The change log was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The change log was renamed to release notes.
    • The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The topics are now available on Puppet Docs.
    • The Reference and Dependencies documentation, which is generated automatically, remains on Puppet Forge.

Resolved issue

  • Fixed an error that prevented catalog retrieval from Puppet Enterprise (PE) during Continuous Delivery pipeline runs. This error occurred when the impact analysis tool was used to set up a temporary environment, which was then deleted. The _FILE_ variable continued to point to the deleted environment. As a result, the Puppet run returned an error message: Could not retrieve catalog from remote server.

v1.2.2

Released 10 August 2022

Resolved issues

  • Fixed typos in Microsoft Windows firewall logging paths managed by the following controls:
    • CIS Windows 10
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2016
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2019
      • 9.1.5
      • 9.2.5
      • 9.3.7
  • Fixed an issue that could cause the following controls to not be enforced:
    • CIS Windows 10
      • 18.9.17.2
      • 18.9.64.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.72.1
      • 18.9.75.1
      • 18.9.103.1
    • CIS Windows Server 2016
      • 18.9.45.10.1
    • CIS Windows Server 2019
      • 18.9.41.1
      • 18.9.45.1
      • 18.9.47.11.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.65.3.3.1
      • 18.9.65.3.3.3
      • 18.9.65.3.3.4
      • 18.9.67.2
      • 18.9.72.1
      • 18.9.89.1
      • 18.9.90.3
      • 18.9.102.2.2
      • 18.9.103.1
      • 18.9.47.5.1.2

v1.2.1

Released 31 May 2022

Resolved issue

  • Fixed an issue related to profile configuration on Microsoft Windows 10 nodes.

v1.2.0

Released 24 May 2022

New features and enhancements

  • Updated the Center for Internet Security (CIS) Windows Server 2019 Benchmark to version 1.3.0.

Resolved issues

  • Resolved issues leading to scan failures for the following CIS controls on Windows Server 2019:
    • 9.3.7
    • 9.2.5
    • 9.1.5
    • 18.9.108.4.1
    • 18.9.65.3.9.1
    • 18.8.3.1
    • 18.8.21.5
    • 18.5.21.1
    • 18.4.x
    • 18.2.1

v1.1.2

Released 12 May 2022

New features and enhancements

  • Updated the minimum required version of the dsc/auditpolicydsc module to 1.4.0-0-4. That dependency includes resolved issues and features required by cem_windows. Update your Puppetfile accordingly.

Resolved issues

  • Updated the default value for the Windows Attack Surface Reduction (ASR) rules to Audit instead of Block.
    • Although the value of Audit is not CIS-compliant, setting the ASR rules to Block prevented the Puppet agent from successfully configuring the node.
    • If you see Puppet run errors like Could not evaluate: undefined method []' for nil:NilClass when enforcing CEM, manually set the Windows ASR rules to Audit. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
  • Fixed an issue that applied more controls to a node than required by the configured profile and level.
  • Fixed an issue that caused controls that should be ignored to be applied. This issue occurred when the controls were mapped to a parameter of a resource that was not ignored.
  • Fixed several issues related to configuration backward-compatibility.
Upgrade requirement: To ensure that the updates in this release take effect, you might have to restart the pe-puppetserver service on your Puppet primary server after Code Manager deploys the new code.

v1.1.1

Released 7 April 2022

New features and enhancements

  • Improved the display of controls in the Reference on Puppet Forge.

Resolved issues

  • Fixed several instances in which configurations from versions previous to v1.1.0 were not recognized. The v1.1.1 configuration is backward compatible with versions prior to v1.1.0.
  • Fixed an issue that required the cem_windows module to exist in the same environment as the Puppet primary server. You can now deploy the module to a different environment than your primary server. The module will be operational.
  • Fixed incorrect Puppet Strings in the init.pp file.

v1.1.0

Released 24 March 2022

New features and enhancements

  • The documentation was updated to list the controls that will be reported as failed or unknown in Puppet Comply after cem_windows is applied.
    A failed or unknown status is reported because the CIS-CAT Pro Assessor looks for registry keys that are configured by Microsoft Group Policy Objects rather than keys that are set locally by the cem_windows user. The CIS Windows benchmarks are designed to work only for domain-joined systems. At the time of the v1.1.0 release, CIS was working on Windows benchmarks for a standalone system to resolve the issue.
  • Updated the CIS Windows 10 Benchmark to v1.12.0 to match the latest benchmark version released with Comply 2.4.0.
  • The cem_windows module was updated to implement a new architecture. The new architecture, applied in the background, provides more flexibility for system configuration.

v1.0.7

Released 16 December 2021

Resolved issues

  • Removed unnecessary resource defaults in two Windows Server 2016 control classes.

v1.0.6

Released 16 December 2021

Resolved issues

  • Removed unnecessary resource defaults in Windows Server 2016 control classes.

v1.0.5

Released 8 December 2021

Resolved issues

  • Fixed non-idempotent Desired State Configuration (DSC) resources.
  • Fixed the registry key for Windows 10 CIS control 1.1.6. Now, this control will be properly configured.

v1.0.4

Released 7 December 2021

New features and enhancements

Resolved issue

  • Fixed an issue that caused values for the dsc_accountpolicy parameter to be set incorrectly.

v1.0.3

Released 13 October 2021

Resolved issues

  • Fixed the default value for CIS control 2.3.1.1 to align with the expected value provided by CIS.
  • Fixed the cem_windows::allow_local_account_rdp parameter so that it works as intended.

v1.0.2

Released 11 October 2021

Resolved issue

  • Fixed firewall profiles to align with the CIS specification.

v1.0.1

Released 30 September 2021

Resolved issue