Various fix

Signed-off-by: Mathieu Fortin <[email protected]>
ansible-lockdown · Apr 15, 2024 · 5e515c2 · 5e515c2
1 parent c28f311
commit 5e515c2
Showing 1 changed file with 31 additions and 18 deletions.
diff --git a/tasks/section18.yml b/tasks/section18.yml
@@ -559,15 +559,14 @@
       - patch
       - netbios
 
-- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server"
+- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient
       name: EnableMulticast
       data: 0
       type: dword
   when:
       - win19cis_rule_18_6_4_2
-      - win2019cis_is_domain_member
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -2771,7 +2770,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
       name: DisableRealtimeMonitoring
-      data: 1
+      data: 0
       datatype: dword
   when:
       - win19cis_rule_18_10_43_10_2
@@ -3346,20 +3345,6 @@
       - patch
       - wik
 
-- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled"
-  ansible.windows.win_regedit:
-      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
-      name: EnableUserControl
-      data: 0
-      type: dword
-  when:
-      - win19cis_rule_18_10_81_1
-  tags:
-      - level1-domaincontroller
-      - level1-memberserver
-      - rule_18.10.81.1
-      - patch
-
 - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
   block:
       - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards."
@@ -3396,6 +3381,34 @@
       - automated
       - patch
 
+- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled"
+  ansible.windows.win_regedit:
+      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
+      name: EnableUserControl
+      data: 0
+      type: dword
+  when:
+      - win19cis_rule_18_10_81_1
+  tags:
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_18.10.81.1
+      - patch
+
+- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'"
+  ansible.windows.win_regedit:
+      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
+      name: AlwaysInstallElevated
+      data: 0
+      type: dword
+  when:
+      - win19cis_rule_18_10_81_2
+  tags:
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_18.10.81.2
+      - patch
+
 - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Installer
@@ -3658,7 +3671,7 @@
         ansible.windows.win_regedit:
             path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
             name: ManagePreviewBuildsPolicyValue
-            data: 0
+            data: 1
             type: dword
   when:
       - win19cis_rule_18_10_93_4_1