CIS: Windows Server 2022

This topic provides information about the hotfix containing Windows Server 2022  Security Configuration Benchmark Version 5.0.0. This template contains implementation for 433 rules that can be installed on TrueSight Server Automation 26.2.

Determine whether you need to install the template

If you are installing TrueSight Server Automation version 26.2 for the first time (fresh installation), no action is required because this template is installed as a part of the 26.2 installation process.

If you have upgraded to 20.x or later, this template is not installed automatically. To install this template, do one of the following actions:

• Perform the steps mentioned in this topic.
  Through this method, the CIS template for Windows Server 2022 is installed.

• Upgrade the compliance content by using one of the following methods:

  Warning

  Important

  Rename any existing customized template before you run the Auto Content Import Job or install the template manually. 

  • Through the Auto Content Import Job after the upgrade. During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content.
    Using this method, the latest version of all templates available in version 26.2 is installed. For the complete list of supported templates and their versions, see Compliance-Content-support-and-requirements.
  • Install manually by using the content installer. Ensure that you use the content installer of the same version as the Application Server version. For information about how to install the compliance content manually, see Walkthrough-Loading-compliance-content. 
    When you use this method, you have the flexibility to choose the template that you want to install from the set of templates that are available in version 26.2.

Before you begin

Before you install this hotfix, make sure that you perform the following:

• Some policy settings require installing the SecGuide custom templates. The SecGuide.admx and SecGuide.adml (available for download from the Microsoft site) must be copied to the Target Machine at the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories, respectively.
• Some policy settings require installing the MSS-Legacy custom templates. The MSS-Legacy.admx and MSS-Legacy.adml (These files can be downloaded from the Microsoft site) must be copied to the Target Machine at \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories, respectively.
• Save a backup of the extended_objects folder, which is at the following location on the file server:
  <File_Server_Root>/extended_objects/
• If the existing template is customized, make sure to rename it before importing the new one and then perform the steps described in the following sections.
• Make sure to review the template's local and global properties default values to match with the organization standards.
• Make sure you have reviewed the following points before running the compliance checks or performing remediation. The audit script automatically detects whether the target is a Domain Controller or a Member Server, so there's no need to manually set the DOMAIN property during compliance checks.

• Make sure to copy the required ADMX and ADML files to the respective directories of all target servers.
  • ADMX: C:\Windows\PolicyDefinitions 
  • ADML: C:\Windows\PolicyDefinitions\en-US 
  • These files are necessary for proper remediation. If not already present, these files can be downloaded from the Administrative Templates. 

Property Name	Impacted Rule	Default Value
PASSWORD_HISTORY_SIZE	1.1.1	24
MAX_PASSOWORD_AGE	1.1.2	365
MIN_PASSOWORD_AGE	1.1.3	1
PASSWORD_LENGTH	1.1.4	14
ACCOUNT_LOCKOUT_DURATION	1.2.1	15
ACCOUNT_LOCKOUT_THRESHOLD	1.2.2	5
ACCOUNT_PASSWORD_AGE	2.3.6.5	30
MACHINE_INACTIVITY_LIMIT	2.3.7.3	900
PUBLIC_PROFILE_LOG_FILE_SIZE	9.3.7	16384
PRIVATE_PROFILE_LOG_FILE_SIZE	9.2.5	16384
DOMAIN_PROFILE_LOG_FILE_SIZE	9.1.5	16384

Step 1: Downloading and installing the files

1. Download the CIS - Windows Server 2022 package from the EPD location by following these steps:
   1. Login to the BMC EPD Website.
   2. Navigate to the Additional Products tab, under ‘View By Category’, select Server Automation.
   3. Navigate to:
      1. TrueSight Server Automation > TrueSight Server Automation 26.1.0.0 or
      2. Navigate to TrueSight Server Automation Compliance Module > TrueSight Server Automation Compliance Module 26.1.0.0.

   4. Download the TSSA 26.1.00 CIS Updates for Windows Server 2022.

      The downloaded file includes the following:

      1. CIS - Windows Server 2022.zip
      2. CIS_Microsoft_Windows_Server_2022_Benchmark_v5.0.0.pdf
      3. RELEASE_NOTES_FOR_HOTFIX_OF_CIS_WINDOWS_2022.docx
      4. ExtendedObjects.zip

      Verify the downloaded content by using the following checksums.

      S.No	File Name	MD5SUM
      1	CIS - Windows Server 2022.zip	63fadf1b4b0368cb500d383419164f2e
      2	ExtendedObjects.zip	c422804b9c0efb4256d6cf0005d9964d

      Warning

      Important

      For TSSA versions 24.2 and below, the security setting of the rule (1.2.3 Ensure Allow Administrator account lockout is set to Enabled (MS only) is not available, hence compliance check needs to be evaluated manually.

      Copying Extended Objects

      1. Extract the ExtendedObjects zip to a temporary location. Back up the existing extended objects.
      2. Extended Objects location - <Appserver_Install_Path>/share/sensors/cis/win2022
      3. Replace the Extended Objects mentioned in the extracted zip on all app servers. All other existing extended objects need to remain intact. 

       

2. Move the CIS - Windows Server 2022 package to your RCP client server.

Step 3: Importing the Compliance Content

1. Log on the Console.
2. Right-click on Component Templates and click Import.
   
3. Select the Import (Version-neutral) option and click OK.
   
4. Select the updated CIS - Windows Server 2022.zip package from the temporary location.
   The CIS template for CIS - Windows Server 2022 is available in the CIS - Windows Server 2022.zip package. To import the templates, select the CIS - Windows Server 2022.zip and click Next. 
    
5. Make sure that you select the Update objects according to the imported package and Preserve template group path options before you click Next. Click Next
   
   
    

6. Navigate to the last screen of the wizard and click Finish.

   

7. Click OK. The templates are imported successfully and are shown under CIS Compliance Content > CIS.
   

Summary

Additional Information: The hotfix includes the Center for Internet Security (CIS) template for Windows Server 2022, with implementation of 433 rules, and can be installed on TrueSight Server Automation 20.x or later. This template is created based on the recommended settings defined by CIS Microsoft Windows Server 2022 Benchmark Version 5.0.0, published on February 20, 2026.

The template contains 433 rules.

Rules within the template

The following are the details of the 433 rules provided in the zip package. It contains the following types of rules:

• Rules that check for compliance(audit) and provides remediation = 433
• Rules that check for compliance(audit) but do not provide remediation = 0
• Rules that do not check for compliance and do not provide remediation = 0

The following are the details of the rules that are divided into parts:

Rules not divided into parts = 433

So, according to the CIS – Windows Server 2022 template, the current rule count after running the compliance job is 433.