7
2
9
0
This script fixes the windows CIS Benchmark check 5.1: "Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'."
The script:
.\Disable-BTAGService.ps1This script fixes the windows CIS Benchmark check 2.3.7.5: "Configure 'Interactive logon: Message text for users attempting to log on'."
Message The warning text displayed to users before they log on. Defaults to a generic placeholder.
.\Set-LogonBanner.ps1 -Message "This computer is property of Example Corp. Unauthorized use is prohibited."This script fixes the windows CIS Benchmark check 2.3.7.6: "Configure 'Interactive logon: Message title for users attempting to log on'."
Title Text displayed in the window title bar of the logon-message dialog.
Message Multi-line warning shown in the body of the logon-message dialog.
.\Set-LogonBannerTitle.ps1 `-Title "Authorized Use Only" `-Message @"THIS COMPUTER SYSTEM IS THE PROPERTY OF EXAMPLE CORPORATION.UNAUTHORIZED ACCESS OR USE IS PROHIBITED AND SUBJECT TO DISCIPLINARYACTION AND PROSECUTION. USERS HAVE NO EXPECTATION OF PRIVACY.BY CONTINUING, YOU CONSENT TO MONITORING."@This script fixes the windows CIS Benchmark check 2.3.1.4: "Configure 'Accounts: Rename administrator account'."
NewName New name for the built-in Administrator account. Defaults to "LocalAdmin".
.\Rename-Administrator.ps1 -NewName "WorkstationSvc"This script fixes the windows CIS Benchmark check 18.10.9.2.1: "Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'."
Creates or sets HKLM\SOFTWARE\Policies\Microsoft\FVE\UseEnhancedPin to the DWORD value 1, which the ADMX interprets as Enabled.
• Tested on Windows 10/11 and Server 2019/2022 (PowerShell 5.1+). • Run as Administrator or SYSTEM (Intune, GPO startup, RMM, etc.). • Idempotent – safe to execute repeatedly. • No reboot is required.
This script fixes the windows CIS Benchmark check 18.10.9.2.4: "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'."
Sets HKLM\SOFTWARE\Policies\Microsoft\FVE\OSManageDRA (REG_DWORD) to 1.
• Run as Administrator or SYSTEM. • Safe to execute repeatedly.
This script fixes the windows CIS Benchmark check 18.10.9.2.4: "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'."
Sets HKLM\SOFTWARE\Policies\Microsoft\FVE\OSManageDRA (REG_DWORD) to 1.
• Run as Administrator or SYSTEM. • Safe to execute repeatedly.
This script fixes the windows CIS Benchmark check 18.10.9.3.1: "Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'."
Creates HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVDiscoveryVolumeType (REG_SZ) with a blank string. A blank value satisfies the CIS “Disabled” state.
• Tested on Windows 10/11 x64 and Server 2022 (PowerShell 5.1+) • Requires elevation (run as SYSTEM or Administrator) • No reboot is required; BitLocker compliance is immediate
This script fixes the windows CIS Benchmark check 18.10.43.5: "Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'."
This script fixes the windows CIS Benchmark check 18.10.9.3.7: "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'."