Release notes

Review the release notes to learn about updates and resolved issues in the Compliance Enforcement Module (CEM) for Windows.

v1.5.2

Released 19 March 2024

CEM for Windows v1.5.2 introduces updates to enhance protection of Windows Server systems. Default values were changed for three Center for Internet Security (CIS) controls, thus helping to ensure that the controls will be correctly enforced to protect the winreg registry key and internal system objects.

Resolved issues
  • For Windows Server 2016, 2019, and 2022, the implementation of CIS Controls 2.3.10.8 and 2.3.10.9 was corrected. For both controls, the default value of the value parameter was changed to Machine. By enforcing these controls, you can help to prevent attackers from accessing sensitive configuration data in the winreg registry key.
  • For Windows Server 2016, 2019, and 2022, the implementation of CIS Control 2.3.15.2 was updated to specify the correct path for the path parameter. By enforcing this control, you can help to prevent unauthorized users from modifying internal system objects.
  • A default value was changed to help ensure that CIS Control 18.6.4.1 can be enforced without disrupting operations on Windows Server 2022 systems. CIS Control 18.6.4.1 enforces Domain Name System resolution over HTTPS (DoH) to help protect systems against spoofing and man-in-the-middle attacks. Previously, the default setting of Enabled: Require DoH could prevent agent nodes from reporting to the Puppet primary server. To resolve the issue, the setting was changed to Enabled: Allow DoH to ensure that DoH is allowed but not required.

v1.5.1

Released 6 October 2023

  • Changed
    • Introduced a change that is designed to simplify CEM for Windows configuration. In previous releases, CEM for Windows was configured to ignore controls related to the renaming of Administrator and Guest accounts. This configuration was designed to avoid rare cases in which the control settings could cause Puppet run failures. As a result of this default behavior, users who wanted to enable the controls had to specify an ignore list that did not include the controls. Specifying the controls in an only list was not helpful because the ignore list overrode the only list. To resolve this issue, the default setting of the ignore list was changed to empty.
  • Fixed
    • Fixed an issue that prevented some user-specified configuration options from being applied. The issue affected only some parameters on some controls.

v1.5.0

Released 22 August 2023

  • Changed
  • Fixed
    • Fixed an issue related to the cem_domain_controller fact, which was incorrectly reporting a value of false in all instances. Now, the cem_domain_controller fact correctly reports a value of true when CEM for Windows runs on a domain controller.

v1.4.0

Released 27 June 2023

  • Added
    • Enforcement of the Center for Internet Security (CIS) Microsoft Windows Server 2022 Benchmark v2.0.0.
  • Changed
    • cem_windows no longer supports the use of legacy configuration as of this update. Legacy configuration refers to configurations of cem_windows used prior to the release of v1.1.0. cem_windows is no longer compatible with configurations that were used before v1.1.0. Please update any legacy configuration to the current standard of configuring cem_windows.

v1.3.0

Released 15 December 2022

This release includes updates for users of the Microsoft Windows Server 2016 operating system. With this release, users can enforce Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v1.4.0. For a list of control updates, see Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v1.4.0.

v1.2.3

Released 25 October 2022

  • Added
    • Added a Puppet Puppet Bolt task, cem_delete_securitypolicy_inf, to use for error resolution. The Puppet Bolt task resolves a corruption error that can affect the temporary file that is used by Desired State Configuration (DSC) to manage the local security policy:
      • The error is indicated by the following message in the Puppet run log: 
        Index operation failed; the array index evaluated to null
      • To resolve the error, run the cem_delete_securitypolicy_inf task and re-run Puppet on the affected node.
  • Changed
    • The product documentation was revised to improve usability and retrievability:
      • The change log was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The change log was renamed to Release notes.
      • The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The CEM topics are now available on Puppet Docs, starting with Introducing the Compliance Enforcement Modules.
      • The Reference and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
  • Fixed
    • Fixed an error that prevented catalog retrieval from Puppet Enterprise (PE) during Continuous Delivery for Puppet Enterprise pipeline runs. This error occurred when the impact analysis tool was used to set up a temporary environment, which was then deleted. The _FILE_ variable continued to point to the deleted environment. As a result, the Puppet run returned an error message: Could not retrieve catalog from remote server.

v1.2.2

Released 10 August 2022

Fixed
  • Fixed typos in Microsoft Windows firewall logging paths managed by the following controls:
    • CIS Windows 10
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2016
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2019
      • 9.1.5
      • 9.2.5
      • 9.3.7
  • Fixed an issue that could cause the following controls to not be enforced:
    • CIS Windows 10
      • 18.9.17.2
      • 18.9.64.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.72.1
      • 18.9.75.1
      • 18.9.103.1
    • CIS Windows Server 2016
      • 18.9.45.10.1
    • CIS Windows Server 2019
      • 18.9.41.1
      • 18.9.45.1
      • 18.9.47.11.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.65.3.3.1
      • 18.9.65.3.3.3
      • 18.9.65.3.3.4
      • 18.9.67.2
      • 18.9.72.1
      • 18.9.89.1
      • 18.9.90.3
      • 18.9.102.2.2
      • 18.9.103.1
      • 18.9.47.5.1.2

v1.2.1

Released 31 May 2022

Fixed
  • Fixed a bug related to profile configuration on Microsoft Windows 10 nodes.

v1.2.0

Released 24 May 2022

  • Changed
    • Updated the Center for Internet Security (CIS) Windows Server 2019 Benchmark to version 1.3.0.
  • Fixed
    • Resolved issues leading to scan failures for the following CIS controls on Windows Server 2019:
      • 9.3.7
      • 9.2.5
      • 9.1.5
      • 18.9.108.4.1
      • 18.9.65.3.9.1
      • 18.8.3.1
      • 18.8.21.5
      • 18.5.21.1
      • 18.4.x
      • 18.2.1

v1.1.2

Released 12 May 2022

  • Changed
    • Updated the minimum required version of the dsc/auditpolicydsc module to 1.4.0-0-4. That dependency contains bug fixes and features required by cem_windows. Update your Puppetfile accordingly.
  • Fixed
    • Updated the default value for the Windows Attack Surface Reduction (ASR) rules to Audit instead of Block.
      • While the value of Audit is not CIS-compliant, setting the ASR rules to Block prevented the Puppet agent from successfully configuring the node.
      • If you see Puppet run errors like Could not evaluate: undefined method []' for nil:NilClass when enforcing CEM, manually set the Windows ASR rules to Audit. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
    • Fixed an issue that applied more controls to a node than required by the configured profile and level.
    • Fixed an issue that caused controls that should be ignored to be applied. This issue occurred when the controls were mapped to a parameter of a resource that was not ignored.
    • Fixed several issues related to configuration backward-compatibility.
    Upgrade requirement: To ensure that the updates in this release take effect, you might have to restart the pe-puppetserver service on your Puppet primary server after Code Manager deploys the new code.

v1.1.1

Released 7 April 2022

  • Changed
  • Fixed
    • Fixed several instances in which configurations from versions previous to v1.1.0 were not recognized. The v1.1.1 configuration is backward compatible with versions prior to v1.1.0.
    • Fixed an issue that required the cem_windows module to exist in the same environment as the Puppet primary server. You can now deploy the module to a different environment than your primary server. The module will be operational.
    • Fixed incorrect Puppet Strings in init.pp file.

v1.1.0

Released 24 March 2022

  • Added
    • The documentation was updated to list the controls that will be reported as failed or unknown in Comply after cem_windows is applied.
      Tip: A failed or unknown status is reported because the CIS-CAT Pro Assessor looks for registry keys that are configured by Microsoft Group Policy Objects rather than keys that are set locally by the cem_windows user. The CIS Windows benchmarks are designed to work only for domain-joined systems. At the time of the v1.1.0 release, CIS was working on Windows benchmarks for a standalone system to resolve the issue.
  • Changed
    • Updated the CIS Windows 10 Benchmark to v1.12.0 to match the latest benchmark version released with Comply 2.4.0.
    • The cem_windows module was updated to implement a new architecture. The new architecture, applied in the background, provides more flexibility for system configuration. For details, see the readme file.

v1.0.7

Released 16 December 2021

  • Removed
    • Removed unnecessary resource defaults in two Windows Server 2016 control classes.

v1.0.6

Released 16 December 2021

  • Removed
    • Removed unnecessary resource defaults in Windows Server 2016 control classes.

v1.0.5

Released 8 December 2021

  • Fixed
    • Fixed non-idempotent Desired State Configuration (DSC) resources.
    • Fixed the registry key for Windows 10 CIS control 1.1.6. Now, this control will be properly configured.

v1.0.4

Released 7 December 2021

  • Added
    • In the readme file, added a link to premium content installation instructions. To use CEM, you must be a premium content subscriber.
  • Fixed
    • Fixed an issue that caused values for the dsc_accountpolicy parameter to be set incorrectly.

v1.0.3

Released 13 October 2021

  • Fixed
    • Fixed the default value for CIS control 2.3.1.1 to align with the expected value provided by CIS.
    • Fixed the cem_windows::allow_local_account_rdp parameter so that it works as intended.

v1.0.2

Released 11 October 2021

  • Fixed
    • Fixed firewall profiles to align with the CIS specification.

v1.0.1

Released 30 September 2021

  • Fixed

Known issues and limitations

The current release includes known issues and limitations. In most cases, workarounds are provided.

  • On Windows Server 2022 systems, communication between agent nodes and the Puppet primary server can fail. This issue can occur in CEM for Windows v1.5.1 and earlier when the following control is enforced: CIS Windows Server 2022 Benchmark (2.0.0) Control 18.6.4.1. In these circumstances, nodes might be prevented from sending reports to the Puppet primary server. The issue occurs because the control's default setting, Enabled: Require DoH, enforces Domain Name System resolution over HTTPS (DoH). The issue is resolved in CEM for Windows v1.5.2, in which the default setting was changed to Enabled: Allow DoH.
  • An incorrect top-level key is shown in Hiera configuration examples. On Puppet Forge, the "Reference" section incorrectly shows "puppetlabs-cem_windows::config:" as the top-level key in the Hiera configuration examples. The correct top-level key is "cem_windows::config:".
  • A registry key override can occur when duplicate normalized names are used to specify CIS controls. The issue occurs because the normalized control names for two authentication settings related to Windows Remote Management (WinRM) are identical. The normalized control names are the same for both the client (18.9.102.1.1) and service (18.9.102.2.1) controls. The workaround is to configure the controls with the control numbers (18.9.102.1.1 and 18.9.102.2.1) or the normalized control numbers (c18_9_102_1_1 and c18_9_102_2_1). This issue occurs only in Windows Enterprise 10 environments.
  • In a Windows Server 2016 or 2019 environment, a scan failure is reported for CIS Control 2.3.10.12. The failure affects the following control: 2.3.10.12, (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None.' This control is enforced correctly but fails Comply scans. The scans detect the backing registry value, type REG_MULTI_SZ. The expected value is a blank item as the first line in a multiline string. However, the Puppet module that manages registry settings does not permit the use of blank values. As a workaround, no value is set for the backing registry. A blank value and no value are functionally equivalent, resulting in the same configuration. For this reason, you can ignore the reported scan failure.
  • The Center for Internet Security (CIS) Control 18.2.1, 'Ensure LAPS AdmPwd GPO Extension / CSE is installed,' is not enforced. Control 18.2.1 requires downloading and installing the Local Administrator Password Solution (LAPS) client from the Microsoft website. Because CEM for Windows does not support third-party Windows package managers, this software cannot be installed. In addition, the CIS scanner scans only for the presence of the LAPS client .dll file but does not confirm that LAPS is configured or functional at the domain level.
  • After an upgrade, you might have to restart Puppet Server or the pe-puppetserver service. Starting with v1.1.0, CEM for Windows implements a new architecture. If you upgrade CEM from v1.0.7 or earlier to v1.1.0 or later, and you encounter errors, try restarting the pe-puppetserver service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server.
  • You might have to manually set Windows Attack Surface Reduction (ASR) rules to Audit. In cem_windows releases prior to v1.1.2, a default value of Block was set in the module to comply with CIS guidelines. However, the Block value prevented the Puppet agent from successfully configuring the node. For this reason, the default value was changed to Audit, which is not CIS compliant. If you see Puppet run errors like Could not evaluate: undefined method []' for nil:NilClass when enforcing CEM, manually set the Windows ASR rules to Audit. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
  • Some controls can fail scans. During a Comply scan, you might see error messages about CIS recommended guidelines that are not enforced. These error messages are triggered by bugs in the CIS-CAT Pro Assessor that is bundled with Comply. CEM correctly enforces these settings. The following controls are affected:
    • 1.1.5 - Windows Server 2016 and Windows Server 2019
    • 1.1.6 - Windows Server 2016 and Windows Server 2019
    • 2.3.10.7 - Windows Server 2016
    • 18.2.1 - Windows Server 2019
    • 18.4.1 - Windows Server 2016 and Windows Server 2019
    • 18.4.8 - Windows Server 2016
    • 18.4.9 - Windows Server 2016 and Windows Server 2019
    • 18.4.12 - Windows Server 2016
    • 18.8.21.5 - Windows Server 2016
    • 18.9.47.5.1.2 - Windows Server 2019
    • 18.9.62.3.9.1 - Windows Server 2016
  • Puppet runs are not idempotent. If you see Desired State Configuration (DSC) resources showing corrective changes in a Puppet run, for example, Unknown feature "custom_isync", you are running an incompatible version of Puppet. CEM for Windows requires that Puppet agents at the version 6 level must be v6.23.0 or later, and agents at the version 7 level must be v7.8.0 or later.
  • If the Puppet agent fails to upgrade when you use the puppetlabs/puppet_agent module, restart the computer or virtual machine where the Puppet agent is running to help ensure that updates are applied.
  • If you use remote desktop protocol (RDP) to access nodes, users who are members of the groups Guests and local accounts will not be able to log in by default. To provide access to these groups, set the cem_windows::allow_local_account_rdp parameter to true.
  • If non-admin users cannot log in to nodes, the issue might be related to event logs. By default, Windows Event Log does not clear events. When the event log of a node is full, only administrators can log in. To clear the event logs manually, find the specific recommendation in your compliance framework and configure the setting. In the Windows registry, locate the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application:Retention
    Then, set the Retention value to 0.
  • You cannot disable Windows Remote Management (WinRM). The WinRM service is required for the DSC modules and cannot be disabled.