Search - ScriptShare

Search Results

Enables “Allow enhanced PINs for startup” for BitLocker‑protectedoperating‑system drives (CIS control 18.10.9.2.1)

This script fixes the windows CIS Benchmark check 18.10.9.2.1: "Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'."

Creates or sets HKLM\SOFTWARE\Policies\Microsoft\FVE\UseEnhancedPin to the DWORD value 1, which the ADMX interprets as Enabled.

Notes

• Tested on Windows 10/11 and Server 2019/2022 (PowerShell 5.1+). • Run as Administrator or SYSTEM (Intune, GPO startup, RMM, etc.). • Idempotent – safe to execute repeatedly. • No reboot is required.

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.10

Fix Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'.

This script fixes the windows CIS Benchmark check 18.10.9.2.10: "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.11

Fix Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 18.10.9.2.11: "Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.12

Fix Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 18.10.9.2.12: "Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.13

Fix Ensure 'Require additional authentication at startup' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.10.9.2.13: "Ensure 'Require additional authentication at startup' is set to 'Enabled'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.14

Fix Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'.

This script fixes the windows CIS Benchmark check 18.10.9.2.14: "Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.15

This script fixes the CIS benchmark check for 'Require additional authentication at startup: Configure TPM startup' by setting the registry key to disable TPM usage.

This script fixes the windows CIS Benchmark check 18.10.9.2.15: "Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'."

The script sets the registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPM to 0 (DWORD), which corresponds to 'Enabled: Do not allow TPM'. It also verifies the change and reports the result.

Parameters

None This script does not require any parameters.

Notes

This script must be run with administrative privileges.
It modifies system registry settings directly, which may be overridden by Group Policy.
Ensure compatibility with your environment and security policies before running.

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.16

Fix Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'.

This script fixes the windows CIS Benchmark check 18.10.9.2.16: "Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.17

Fix Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'.

This script fixes the windows CIS Benchmark check 18.10.9.2.17: "Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'."

XXeroSec

5mo ago

v1PowerShell Windows

cis_win11_enterprise 18.10.9.2.18

This script fixes the CIS benchmark check for 'Require additional authentication at startup: Configure TPM startup key and PIN' by setting the registry key to the required state.

This script fixes the windows CIS Benchmark check 18.10.9.2.18: "Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'."

The script sets the registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN to 0 (DWORD), which corresponds to 'Enabled: Do not allow startup key and PIN with TPM'. It also verifies the change and outputs the result.

Notes

This script must be run with administrative privileges.
Changes may require a system reboot to take full effect.
This modifies BitLocker-related policies; ensure you understand the implications before running.

XXeroSec

5mo ago

Search Results

ago