Title

Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked. (Cat II impact)

Discussion

Allowing Windows apps to be activated by voice from the lock screen could allow for unauthorized use. Requiring logon will ensure the apps are only used by authorized personnel.

Check Content

The setting is NA when the "Allow voice activation" policy is configured to disallow applications to be activated with voice for all users. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\ Value Name: LetAppsActivateWithVoiceAboveLock Type: REG_DWORD Value: 0x00000002 (2) If the following registry value exists and is configured as specified, requirement is NA: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\ Value Name: LetAppsActivateWithVoice Type: REG_DWORD Value: 0x00000002 (2)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Privacy >> "Let Windows apps activate with voice while the system is locked" to "Enabled" with Default for all Apps: set to Force Deny. The requirement is NA if the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Privacy >> "Let Windows apps activate with voice" is configured to "Enabled" with Default for all Apps: set to Force Deny.

Additional Identifiers

Rule ID: SV-253422r829350_rule

Vulnerability ID: V-253422

Group Title: SRG-OS-000028-GPOS-00009

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.