Check: WN11-CC-000365
Microsoft Windows 11 STIG:
WN11-CC-000365
(in versions v2 r2 through v1 r1)
Title
Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked. (Cat II impact)
Discussion
Allowing Windows apps to be activated by voice from the lock screen could allow for unauthorized use. Requiring logon will ensure the apps are only used by authorized personnel.
Check Content
The setting is NA when the "Allow voice activation" policy is configured to disallow applications to be activated with voice for all users. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\ Value Name: LetAppsActivateWithVoiceAboveLock Type: REG_DWORD Value: 0x00000002 (2) If the following registry value exists and is configured as specified, requirement is NA: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\ Value Name: LetAppsActivateWithVoice Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Privacy >> "Let Windows apps activate with voice while the system is locked" to "Enabled" with Default for all Apps: set to Force Deny. The requirement is NA if the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Privacy >> "Let Windows apps activate with voice" is configured to "Enabled" with Default for all Apps: set to Force Deny.
Additional Identifiers
Rule ID: SV-253422r958400_rule
Vulnerability ID: V-253422
Group Title: SRG-OS-000028-GPOS-00009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000056 |
Retain the device lock until the user reestablishes access using established identification and authentication procedures. |
Controls
Number | Title |
---|---|
AC-11 |
Session Lock |