Release notes for Windows

Review the release notes to learn about updates and resolved issues in Security Compliance Enforcement (SCE) for Windows. You can also review the Known issues and limitations.

v2.0.0

Released 7 May 2024

In this release, the Compliance Enforcement Modules are renamed to Security Compliance Enforcement (SCE). The new name highlights the capability to enforce secure configurations for IT infrastructures based on internationally recognized standards. In addition, SCE is now compatible with the latest versions of all Puppet module dependencies.

Important: If you plan to upgrade to v2.0.0, review the updated instructions in Upgrading SCE and Configuring SCE.

New features and enhancements

  • As part of the name change, the module is now available on Puppet Forge under the following name: sce_windows. If you have an active subscription to the Compliance Enforcement Modules (CEM), you are automatically granted access to the SCE modules.

    Tip: CEM modules remain on Puppet Forge in a deprecated state for subscribers who want to continue using CEM for the time being, and CEM documentation remains available at Introducing the Compliance Enforcement Modules.

  • In the documentation, configuration examples are updated to replace cem_windows with sce_windows. See Configuring SCE.

  • To take advantage of fixes and improvements in Puppet modules, SCE for Windows now supports the latest versions of its Puppet module dependencies:

    • puppetlabs-stdlib: ≥ 6.0.0 < 10.0.0 (except for 9.0.x, 9.1.x, and 9.2.x, which are not supported)

    • puppetlabs-registry: ≥ 3.2.0 < 6.0.0

    • dsc-networkingdsc: ≥ 8.1.0-0-1 < 10.0.0

    • dsc-auditpolicydsc: ≥ 1.4.0-0-4 < 2.0.0

    • dsc-securitypolicydsc: ≥ 2.10.0-0-3 < 3.0.0

    • puppetlabs-pwshlib: 0.9.0 < 2.0.0

    • puppetlabs-powershell: ≥ 5.0.0 < 7.0.0

      To help avoid operational issues, do not use earlier module versions.

v1.5.2

Released 19 March 2024

CEM for Windows v1.5.2 introduces updates to enhance protection of Windows Server systems. Default values were changed for three Center for Internet Security (CIS) controls, thus helping to ensure that the controls will be correctly enforced to protect the winreg registry key and internal system objects.

Resolved issues

  • For Windows Server 2016, 2019, and 2022, the implementation of CIS Controls 2.3.10.8 and 2.3.10.9 was corrected. For both controls, the default value of the value parameter was changed to Machine. By enforcing these controls, you can help to prevent attackers from accessing sensitive configuration data in the winreg registry key.
  • For Windows Server 2016, 2019, and 2022, the implementation of CIS Control 2.3.15.2 was updated to specify the correct path for the path parameter. By enforcing this control, you can help to prevent unauthorized users from modifying internal system objects.
  • A default value was changed to help ensure that CIS Control 18.6.4.1 can be enforced without disrupting operations on Windows Server 2022 systems. CIS Control 18.6.4.1 enforces Domain Name System resolution over HTTPS (DoH) to help protect systems against spoofing and man-in-the-middle attacks. Previously, the default setting of Enabled: Require DoH could prevent agent nodes from reporting to the Puppet primary server. To resolve the issue, the setting was changed to Enabled: Allow DoH to ensure that DoH is allowed but not required.

v1.5.1

Released 6 October 2023

  • Changed
    • Introduced a change that is designed to simplify CEM for Windows configuration. In previous releases, CEM for Windows was configured to ignore controls related to the renaming of Administrator and Guest accounts. This configuration was designed to avoid rare cases in which the control settings could cause Puppet run failures. As a result of this default behavior, users who wanted to enable the controls had to specify an ignore list that did not include the controls. Specifying the controls in an only list was not helpful because the ignore list overrode the only list. To resolve this issue, the default setting of the ignore list was changed to empty.
  • Fixed
    • Fixed an issue that prevented some user-specified configuration options from being applied. The issue affected only some parameters on some controls.

v1.5.0

Released 22 August 2023

  • Changed
  • Fixed
    • Fixed an issue related to the cem_domain_controller fact, which was incorrectly reporting a value of false in all instances. Now, the cem_domain_controller fact correctly reports a value of true when the module runs on a domain controller.

v1.4.0

Released 27 June 2023

  • Added
    • Enforcement of the Center for Internet Security (CIS) Microsoft Windows Server 2022 Benchmark v2.0.0.
  • Changed
    • cem_windows no longer supports the use of legacy configuration as of this update. Legacy configuration refers to configurations of cem_windows used prior to the release of v1.1.0. cem_windows is no longer compatible with configurations that were used before v1.1.0. Please update any legacy configuration to the current standard of configuring cem_windows.

v1.3.0

Released 15 December 2022

This release includes updates for users of the Microsoft Windows Server 2016 operating system. With this release, users can enforce Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v1.4.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v1.4.0.

v1.2.3

Released 25 October 2022

  • Added
    • Added a Puppet Bolt task, cem_delete_securitypolicy_inf, to use for error resolution. The Puppet Bolt task resolves a corruption error that can affect the temporary file that is used by Desired State Configuration (DSC) to manage the local security policy:
      • The error is indicated by the following message in the Puppet run log: 
        Index operation failed; the array index evaluated to null
      • To resolve the error, run the cem_delete_securitypolicy_inf task and re-run Puppet on the affected node.
  • Changed
    • The product documentation was revised to improve usability and retrievability:
      • The change log was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The change log was renamed to release notes.
      • The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The topics are now available on Puppet Docs.
      • The Reference and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
  • Fixed
    • Fixed an error that prevented catalog retrieval from Puppet Enterprise (PE) during Continuous Delivery pipeline runs. This error occurred when the impact analysis tool was used to set up a temporary environment, which was then deleted. The _FILE_ variable continued to point to the deleted environment. As a result, the Puppet run returned an error message: Could not retrieve catalog from remote server.

v1.2.2

Released 10 August 2022

Fixed

  • Fixed typos in Microsoft Windows firewall logging paths managed by the following controls:
    • CIS Windows 10
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2016
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2019
      • 9.1.5
      • 9.2.5
      • 9.3.7
  • Fixed an issue that could cause the following controls to not be enforced:
    • CIS Windows 10
      • 18.9.17.2
      • 18.9.64.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.72.1
      • 18.9.75.1
      • 18.9.103.1
    • CIS Windows Server 2016
      • 18.9.45.10.1
    • CIS Windows Server 2019
      • 18.9.41.1
      • 18.9.45.1
      • 18.9.47.11.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.65.3.3.1
      • 18.9.65.3.3.3
      • 18.9.65.3.3.4
      • 18.9.67.2
      • 18.9.72.1
      • 18.9.89.1
      • 18.9.90.3
      • 18.9.102.2.2
      • 18.9.103.1
      • 18.9.47.5.1.2

v1.2.1

Released 31 May 2022

Fixed

  • Fixed a bug related to profile configuration on Microsoft Windows 10 nodes.

v1.2.0

Released 24 May 2022

  • Changed
    • Updated the Center for Internet Security (CIS) Windows Server 2019 Benchmark to version 1.3.0.
  • Fixed
    • Resolved issues leading to scan failures for the following CIS controls on Windows Server 2019:
      • 9.3.7
      • 9.2.5
      • 9.1.5
      • 18.9.108.4.1
      • 18.9.65.3.9.1
      • 18.8.3.1
      • 18.8.21.5
      • 18.5.21.1
      • 18.4.x
      • 18.2.1

v1.1.2

Released 12 May 2022

  • Changed
    • Updated the minimum required version of the dsc/auditpolicydsc module to 1.4.0-0-4. That dependency contains bug fixes and features required by cem_windows. Update your Puppetfile accordingly.
  • Fixed
    • Updated the default value for the Windows Attack Surface Reduction (ASR) rules to Audit instead of Block.
      • While the value of Audit is not CIS-compliant, setting the ASR rules to Block prevented the Puppet agent from successfully configuring the node.
      • If you see Puppet run errors like Could not evaluate: undefined method []' for nil:NilClass when enforcing CEM, manually set the Windows ASR rules to Audit. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
    • Fixed an issue that applied more controls to a node than required by the configured profile and level.
    • Fixed an issue that caused controls that should be ignored to be applied. This issue occurred when the controls were mapped to a parameter of a resource that was not ignored.
    • Fixed several issues related to configuration backward-compatibility.
    Upgrade requirement: To ensure that the updates in this release take effect, you might have to restart the pe-puppetserver service on your Puppet primary server after Code Manager deploys the new code.

v1.1.1

Released 7 April 2022

  • Changed
    • Improved the display of controls in the Reference on Puppet Forge.
  • Fixed
    • Fixed several instances in which configurations from versions previous to v1.1.0 were not recognized. The v1.1.1 configuration is backward compatible with versions prior to v1.1.0.
    • Fixed an issue that required the cem_windows module to exist in the same environment as the Puppet primary server. You can now deploy the module to a different environment than your primary server. The module will be operational.
    • Fixed incorrect Puppet Strings in the init.pp file.

v1.1.0

Released 24 March 2022

  • Added
    • The documentation was updated to list the controls that will be reported as failed or unknown in Puppet Comply after cem_windows is applied.

      Tip: A failed or unknown status is reported because the CIS-CAT Pro Assessor looks for registry keys that are configured by Microsoft Group Policy Objects rather than keys that are set locally by the cem_windows user. The CIS Windows benchmarks are designed to work only for domain-joined systems. At the time of the v1.1.0 release, CIS was working on Windows benchmarks for a standalone system to resolve the issue.

  • Changed
    • Updated the CIS Windows 10 Benchmark to v1.12.0 to match the latest benchmark version released with Comply 2.4.0.
    • The cem_windows module was updated to implement a new architecture. The new architecture, applied in the background, provides more flexibility for system configuration.

v1.0.7

Released 16 December 2021

  • Removed
    • Removed unnecessary resource defaults in two Windows Server 2016 control classes.

v1.0.6

Released 16 December 2021

  • Removed
    • Removed unnecessary resource defaults in Windows Server 2016 control classes.

v1.0.5

Released 8 December 2021

  • Fixed
    • Fixed non-idempotent Desired State Configuration (DSC) resources.
    • Fixed the registry key for Windows 10 CIS control 1.1.6. Now, this control will be properly configured.

v1.0.4

Released 7 December 2021

v1.0.3

Released 13 October 2021

  • Fixed
    • Fixed the default value for CIS control 2.3.1.1 to align with the expected value provided by CIS.
    • Fixed the cem_windows::allow_local_account_rdp parameter so that it works as intended.

v1.0.2

Released 11 October 2021

  • Fixed
    • Fixed firewall profiles to align with the CIS specification.

v1.0.1

Released 30 September 2021

  • Fixed

 

Known issues and limitations

The current release includes known issues and limitations. In most cases, workarounds are provided.

  • A registry key override can occur when duplicate normalized names are used to specify CIS controls. The issue occurs because the normalized control names for two authentication settings related to Windows Remote Management (WinRM) are identical. The normalized control names are the same for both the client (18.9.102.1.1) and service (18.9.102.2.1) controls. The workaround is to configure the controls with the control numbers (18.9.102.1.1 and 18.9.102.2.1) or the normalized control numbers (c18_9_102_1_1 and c18_9_102_2_1). This issue occurs only in Windows Enterprise 10 environments.
  • In a Windows Server 2016 or 2019 environment, a scan failure is reported for CIS Control 2.3.10.12. The failure affects the following control: 2.3.10.12, (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None.' This control is enforced correctly but fails Security Compliance Management scans. The scans detect the backing registry value, type REG_MULTI_SZ. The expected value is a blank item as the first line in a multiline string. However, the Puppet module that manages registry settings does not permit the use of blank values. As a workaround, no value is set for the backing registry. A blank value and no value are functionally equivalent, resulting in the same configuration. For this reason, you can ignore the reported scan failure.
  • The Center for Internet Security (CIS) Control 18.2.1, 'Ensure LAPS AdmPwd GPO Extension / CSE is installed,' is not enforced. Control 18.2.1 requires downloading and installing the Local Administrator Password Solution (LAPS) client from the Microsoft website. Because SCE for Windows does not support third-party Windows package managers, this software cannot be installed. In addition, the CIS scanner scans only for the presence of the LAPS client .dll file but does not confirm that LAPS is configured or functional at the domain level.

  • You might see a scan failure and an error message such as Could not evaluate: undefined method... for Windows Attack Surface Reduction (ASR) rules. The scan failure occurs if you set the ASR rule to Block, as recommended by CIS guidelines. However, in that case, the Puppet agent cannot successfully configure the node. For this reason, use the default value of Audit and ignore the error message.

  • Some controls can fail scans. During a Security Compliance Management scan, you might see error messages about CIS recommended guidelines that are not enforced. These error messages are triggered by bugs in the Security Compliance Management console. SCE correctly enforces these settings. The following controls are affected:
    • 1.1.5 - Windows Server 2016 and Windows Server 2019
    • 1.1.6 - Windows Server 2016 and Windows Server 2019
    • 2.3.10.7 - Windows Server 2016
    • 18.2.1 - Windows Server 2019
    • 18.4.1 - Windows Server 2016 and Windows Server 2019
    • 18.4.8 - Windows Server 2016
    • 18.4.9 - Windows Server 2016 and Windows Server 2019
    • 18.4.12 - Windows Server 2016
    • 18.8.21.5 - Windows Server 2016
    • 18.9.47.5.1.2 - Windows Server 2019
    • 18.9.62.3.9.1 - Windows Server 2016
  • Puppet runs are not idempotent. If you see Desired State Configuration (DSC) resources showing corrective changes in a Puppet run, for example, Unknown feature "custom_isync", you are running an incompatible version of Puppet. SCE for Windows requires that Puppet agents at the version 7 level must be v7.8.0 or later. You can also use any level of Puppet 8.
  • If the Puppet agent fails to upgrade when you use the puppetlabs/puppet_agent module, restart the computer or virtual machine where the Puppet agent is running to help ensure that updates are applied.
  • If you use remote desktop protocol (RDP) to access nodes, users who are members of the groups Guests and local accounts will not be able to log in by default. To provide access to these groups, set the sce_windows::allow_local_account_rdp parameter to true.
  • If non-admin users cannot log in to nodes, the issue might be related to event logs. By default, Windows Event Log does not clear events. When the event log of a node is full, only administrators can log in. To clear the event logs manually, find the specific recommendation in your compliance framework and configure the setting. In the Windows registry, locate the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application:Retention
    Then, set the Retention value to 0.
  • You cannot disable Windows Remote Management (WinRM). The WinRM service is required for the DSC modules and cannot be disabled.