Check: WN11-00-000015
Microsoft Windows 11 STIG:
WN11-00-000015
(in versions v2 r2 through v1 r1)
Title
Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. (Cat II impact)
Discussion
UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows 11, including virtualization-based Security and Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will not support these security features.
Check Content
For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS. Run "System Information". Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a finding.
Fix Text
Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode.
Additional Identifiers
Rule ID: SV-253256r971547_rule
Vulnerability ID: V-253256
Group Title: SRG-OS-000424-GPOS-00188
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002391 |
Monitor organization-defined system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks. |
| CCI-002421 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. |