Update PowerSTIG to successfully parse/apply Microsoft Windows 10 STI…

…G - Ver 2, Rel 1 (#797)

* initial commit

* updated convert

* updated disa copy paste error

CHANGELOG.md

@@ -5,6 +5,7 @@
 * Update PowerSTIG to include LegacyId to assist in determining Legacy Vuln Ids with the new DISA standard: [#788](https://github.com/microsoft/PowerStig/issues/788)
 * Update PowerSTIG to fix LegacyId logic: [#791](https://github.com/microsoft/PowerStig/issues/791)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 and 2012 R2 MS STIG - Ver 3, Rel 1: [#785](https://github.com/microsoft/PowerStig/issues/785)
+* Update PowerSTIG to successfully parse/apply Microsoft Windows 10 STIG - Ver 2, Rel 1: [#783](https://github.com/microsoft/PowerStig/issues/783)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows Defender Antivirus STIG - Ver 2, Rel 1: [#786](https://github.com/microsoft/PowerStig/issues/786)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2019 STIG - Ver 2, Rel 1  [#787](https://github.com/microsoft/PowerStig/issues/787)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 and 2012 R2 DC STIG - Ver 3, Rel 1: [#784](https://github.com/microsoft/PowerStig/issues/784)

source/Module/Common/Convert/Data.ps1

@@ -39,5 +39,6 @@ data exclusionRuleList
         V-94025 = 'Vsphere: To Be added in a future release'
         V-94533 = 'Vsphere: To Be added in a future release'
         V-102627 = 'No automation available based on STIG Guidance, Fix text recommends setting up Windows Hello for non-domain systems'
+        V-220946 = 'No automation available based on STIG Guidance, Fix text recommends setting up Windows Hello for non-domain systems'
 '@
 }

source/Module/Rule/Convert/Functions.ps1

@@ -49,13 +49,15 @@ function Test-ValueDataIsHardCoded
         'V-93147', # Windows Server 2019 - Legal Notice Display
         'V-205631', # Windows Server 2019 - Legal Notice Display
         'V-63675', # Windows Client - Legal Notice Display
+        'V-220921', # Windows Client - Legal Notice Display
         'V-26359', # Windows Server 2012R2 - Legal Banner Dialog Box Title
         'V-225466', # Windows Server 2012R2 (MS) - Legal Banner Dialog Box Title
         'V-226289', # Windows Server 2012R2 (DC) - Legal Banner Dialog Box Title
         'V-73649', # Windows Server 2016 - Legal Banner Dialog Box Title
         'V-93149', # Windows Server 2019 - Legal Banner Dialog Box Title
         'V-205632', # Windows Server 2019 - Legal Banner Dialog Box Title
         'V-63681', # Windows Client - Legal Banner Dialog Box Title
+        'V-220922', # Windows Client - Legal Banner Dialog Box Title
         'V-73805', # Windows Server - Disable SMB1 'V-70639' is on the client
         'V-225259', # Windows Server - Disable SMB1 'V-70639' is on the client
         'V-46477', # Internet Explorer - Publishers Certificate Revocation.
@@ -94,12 +96,12 @@ function Get-HardCodedString
 
     switch ($stigId)
     {
-        {$PSItem -match 'V-1089|V-63675|V-73647|V-93147|V-225465|V-226288|V-205631'}
+        {$PSItem -match 'V-1089|V-63675|V-73647|V-93147|V-225465|V-226288|V-205631|V-220921'}
         {
             Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] LegalNotice : $true"
             return $script:legalNoticeText
         }
-        {$PSItem -match 'V-26359|V-63681|V-73649|V-93149|V-225466|V-226289'}
+        {$PSItem -match 'V-26359|V-63681|V-73649|V-93149|V-225466|V-226289|V-220922'}
         {
             Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] LegalCaption : $true"
             return $script:legalNoticeCaption
@@ -157,6 +159,7 @@ function Get-HardCodedString
         'V-93149', # Windows Server 2019 - Legal Banner Dialog Box Title
         'V-205632', # Windows Server 2019 - Legal Banner Dialog Box Title
         'V-63681', # Windows 10 Client - Legal Banner Dialog Box Title
+        'V-220922', # Windows 10 Client - Legal Banner Dialog Box Title
         'V-17761', # Outlook 2013 - OrgSetting Value
         'V-75241', # Windows Defender - ASSignatureDue
         'V-213452', # Windows Defender - ASSignatureDue
@@ -211,7 +214,7 @@ function Get-HardCodedString
             $hardCodedString = "'{0}' -le '4'"
             continue
         }
-        {$PSItem -match 'V-26359|V-73649|V-93149|V-63681|V-225466|V-226289|V-205632'}
+        {$PSItem -match 'V-26359|V-73649|V-93149|V-63681|V-225466|V-226289|V-205632|V-220922'}
         {
             $hardCodedString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"
             continue

source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.log

@@ -0,0 +1,16 @@
+V-220745::"Minimum password length,"::"Minimum password length"
+V-220747::"Store password using reversible encryption"::"Store passwords using reversible encryption"
+V-220836::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = 'Block'; ValueName = 'ShellSmartScreenLevel'; ValueType = 'String'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = $null; ValueName = 'EnableSmartScreen'; ValueType = 'Dword'; OrganizationValueTestString = "{0} -eq 1|2"}
+V-220860::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
+V-220805::Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\::Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\
+V-220704::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE'; ValueData = $null; ValueName = 'MinimumPIN'; ValueType = 'DWord'; OrganizationValueTestString = 'ValueData is set to 0x00000006 (6) or greater '}
+V-220870::Value data: 0::Value: 0x00000000 (0)
+V-220871::Value data: 1::Value: 0x00000001 (1)
+V-220793::RegistryPath\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam::Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam
+V-220793::This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.::ValueType: REG_SZ
+V-220793::This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.::Value: Deny
+V-220793::Value Name: Deny::ValueName: Value
+V-220961::NT SERVICE\autotimesvc is added in v1909 cumulative update.::NT SERVICE\autotimesvc
+V-220891::OverrideExportAddressFilter: False::OverrideEnableExportAddressFilter: False
+V-220891::OverrideExportAddressFilterPlus: False::OverrideEnableExportAddressFilterPlus: False
+V-220891::OverrideImportAddressFilter: False::OverrideEnableImportAddressFilter: False

source/StigData/Processed/WindowsClient-10-2.1.org.default.xml

@@ -0,0 +1,83 @@
+<!--
+    The organizational settings file is used to define the local organizations
+    preferred setting within an allowed range of the STIG.
+
+    Each setting in this file is linked by STIG ID and the valid range is in an
+    associated comment.
+-->
+<OrganizationalSettings fullversion="2.1">
+  <!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
+  <OrganizationalSetting id="V-220704" ValueData="" />
+  <!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
+  <OrganizationalSetting id="V-220739" PolicyValue="15" />
+  <!-- Ensure ''V-220740'' -le '3' -and ''V-220740'' -ne '0'-->
+  <OrganizationalSetting id="V-220740" PolicyValue="3" />
+  <!-- Ensure ''V-220741'' -ge '15'-->
+  <OrganizationalSetting id="V-220741" PolicyValue="15" />
+  <!-- Ensure ''V-220742'' -ge '24'-->
+  <OrganizationalSetting id="V-220742" PolicyValue="24" />
+  <!-- Ensure ''V-220743'' -le '60' -and ''V-220743'' -ne '0'-->
+  <OrganizationalSetting id="V-220743" PolicyValue="30" />
+  <!-- Ensure ''V-220744'' -ge '1'-->
+  <OrganizationalSetting id="V-220744" PolicyValue="1" />
+  <!-- Ensure ''V-220745'' -ge '14'-->
+  <OrganizationalSetting id="V-220745" PolicyValue="14" />
+  <!-- Ensure ''V-220779'' -ge '32768'-->
+  <OrganizationalSetting id="V-220779" ValueData="32768" />
+  <!-- Ensure ''V-220780'' -ge '1024000'-->
+  <OrganizationalSetting id="V-220780" ValueData="1024000" />
+  <!-- Ensure ''V-220781'' -ge '32768'-->
+  <OrganizationalSetting id="V-220781" ValueData="32768" />
+  <!-- Ensure ''V-220806'' -match '1|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220806" ValueData="1" />
+  <!-- Ensure ''V-220811.b'' -match '1|3'-->
+  <OrganizationalSetting id="V-220811.b" ValueData="1" />
+  <!-- Ensure ''V-220813'' -match '1|3|8'-->
+  <OrganizationalSetting id="V-220813" ValueData="1" />
+  <!-- Ensure ''V-220818'' -match '1|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220818" ValueData="1" />
+  <!-- Ensure 'V-220836.b' -eq 1|2-->
+  <OrganizationalSetting id="V-220836.b" ValueData="1" />
+  <!-- Ensure ''V-220837'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220837" ValueData="0" />
+  <!-- Ensure ''V-220838'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220838" ValueData="0" />
+  <!-- Ensure ''V-220839'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220839" ValueData="0" />
+  <!-- Ensure ''V-220847'' -ge '6'-->
+  <OrganizationalSetting id="V-220847" ValueData="6" />
+  <!-- Ensure ''V-220854'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220854" ValueData="0" />
+  <!-- Ensure ''V-220858'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220858" ValueData="0" />
+  <!-- Ensure location for DoD Root CA 2 certificate is present-->
+  <OrganizationalSetting id="V-220903.a" Location="" />
+  <!-- Ensure location for DoD Root CA 3 certificate is present-->
+  <OrganizationalSetting id="V-220903.b" Location="" />
+  <!-- Ensure location for DoD Root CA 4 certificate is present-->
+  <OrganizationalSetting id="V-220903.c" Location="" />
+  <!-- Ensure location for DoD Root CA 5 certificate is present-->
+  <OrganizationalSetting id="V-220903.d" Location="" />
+  <!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
+  <OrganizationalSetting id="V-220905.a" Location="" />
+  <!-- Ensure location for DoD Interoperability Root CA 1 certificate is present-->
+  <OrganizationalSetting id="V-220905.b" Location="" />
+  <!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
+  <OrganizationalSetting id="V-220906" Location="" />
+  <!-- Ensure ''V-220911'' -ne 'Administrator'-->
+  <OrganizationalSetting id="V-220911" OptionValue="" />
+  <!-- Ensure ''V-220912'' -ne 'Guest'-->
+  <OrganizationalSetting id="V-220912" OptionValue="" />
+  <!-- Ensure ''V-220918'' -le '30' -and ''V-220918'' -gt '0'-->
+  <OrganizationalSetting id="V-220918" ValueData="30" />
+  <!-- Ensure ''V-220920'' -le '900' -and ''V-220920'' -gt '0'-->
+  <OrganizationalSetting id="V-220920" ValueData="450" />
+  <!-- Ensure ''V-220922'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
+  <OrganizationalSetting id="V-220922" ValueData="US Department of Defense Warning Statement" />
+  <!-- Ensure ''V-220923'' -le '10'-->
+  <OrganizationalSetting id="V-220923" ValueData="10" />
+  <!-- Ensure ''V-220924'' -match '1|2'-->
+  <OrganizationalSetting id="V-220924" ValueData="1" />
+  <!-- Ensure ''V-220955'' -match '2|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220955" ValueData="2" />
+</OrganizationalSettings>