Skip to content

Benchmark Changelog

Benchmark updates are delivered via the compliance feed independently of Nanitor product releases. When updates are available, the Nanitor server fetches them automatically; no manual action is required.

This page tracks benchmark additions, updates, and changes. For a full list of supported benchmarks, see Benchmark Platforms Supported.

Released

v7.0.0 - April 2026

Nanitor v7.0.0 introduces benchmark upgrade controls that give administrators visibility and control over what changes are applied to their baselines. With these controls in place, several previously held-back major CIS version upgrades can now be safely released, alongside one new benchmark and a batch of false-positive corrections.

Server version requirements for this release

Benchmark Requires Nanitor server
Windows 11 Enterprise v4.0.0 7.0.0 or later
Windows Server 2019 v4.0.0 7.0.0 or later
Red Hat Enterprise Linux 9 v2.0.0 7.0.0 or later
Windows Server 2022 Stand-alone v1.0.0 6.7.0 or later
All other changes (false-positive fixes, check corrections) No minimum

Nanitor servers below the required version will continue to receive the prior benchmark versions from the compliance feed until the server is upgraded. The server-version floor on the three major upgrades is deliberate: v7.0.0 introduces benchmark upgrade controls so administrators can review baseline changes before they affect Configuration Health scores.

Major CIS version upgrades

  • CIS Microsoft Windows 11 Enterprise v4.0.0. Major version update from v2.0.0 with 67 new rules, ~301 updated rules, and 31 removed. Aligns with the latest CIS recommendations for Windows 11. Administrators can review and apply changes on their own schedule using the new benchmark upgrade settings under Organization Management > General Settings.
  • CIS Microsoft Windows Server 2019 v4.0.0. Major version update from v1.2.1 with 94 new rules, ~231 updated, and 47 removed. Includes a packaging fix for four empty groups that were missing create entries in the v4.0.0 migration.
  • CIS Red Hat Enterprise Linux 9 v2.0.0. Major version update from v1.0.0 with 225 new rules, ~68 updated, and 173 removed.

New benchmark

  • CIS Microsoft Windows Server 2022 Stand-alone v1.0.0. New benchmark for non-domain-joined Windows Server 2022 devices (374 rules). Automatically assigns to standalone Server 2022 systems alongside the existing domain-joined benchmark.

Check corrections and false-positive fixes

  • Windows benchmarks — "Deny log on" user rights. Corrected inconsistent OVAL checks for "Deny log on as a service" and "Deny log on locally" across multiple Windows benchmarks. Rules now evaluate the correct user rights (SeDenyServiceLogonRight, SeDenyInteractiveLogonRight, SeDenyBatchLogonRight, SeDenyNetworkLogonRight) instead of reporting false failures on systems with the correct policy applied.
  • Windows benchmarks — NullSessionPipes domain controller check. Fixed case-sensitive OVAL regex causing false positives on the NullSessionPipes DC check. Affects Windows Server 2012 R2, 2016, 2022, and 2025.
  • Windows benchmarks — User-related rules by SID and join type. User-related rules now filter by SID and respect the device's machine-join type (domain-joined vs. standalone), reducing false failures on built-in and renamed accounts.
  • CIS Microsoft Windows 11 Intune. Fixed three Defender rule false positives (Allow Behavior Monitoring, Allow Full Scan Removable Drive Scanning, Allow scanning of downloaded files) that were checking Group Policy registry paths instead of the Intune/MDM Policy Manager paths.
  • CIS Microsoft Windows 10 Intune. Fixed LAPS rule registry paths and the "Password Length" rule (105.4 L1) to require 15 or more characters per the current CIS recommendation.

v6.9.1 - March 2026

New benchmark, bug fixes, and check corrections across Windows and Linux platforms.

  • CIS Microsoft Windows Server 2025 Stand-alone v1.0.0. New benchmark for non-domain-joined Windows Server 2025 devices. Automatically assigns to standalone Server 2025 systems. The CPE auto-assignment logic has been updated (NAN-5856) to prevent dual-assignment with the domain-joined benchmark.
  • CIS Ubuntu Linux 24.04 LTS. Fixed false failure results in crontab, UFW, and rsyslog checks.
  • CIS Microsoft Windows Server 2019. Fixed false negative on "Rename guest account" check. Rule now uses SID-based lookup instead of username enumeration.
  • CIS Microsoft Windows Server 2022. Baseline correction included with the WS2019 guest account fix.
  • CIS Microsoft Windows 11 Intune. Fixed 3 Defender rules (Allow Behavior Monitoring, Allow Full Scan Removable Drive Scanning, Allow scanning of downloaded files) that were checking Group Policy registry paths instead of Intune/MDM Policy Manager paths.
  • Print Spooler service check. Fixed false positive when the Spooler service is not installed (common on Server Core). Affected benchmarks: Windows 10, 11 Intune, Server 2012 R2, 2022, 2025, and 2025 Standalone.

v6.9.0 - February 2026

Bug fixes for two benchmarks addressing false failure results reported by customers. No baseline changes; these are targeted corrections to check logic only.

  • CIS Microsoft Windows Server 2019. Fixed rule "Ensure 'Deny log on as a service' to include 'Guests'". The check was evaluating SeDenyInteractiveLogonRight instead of the correct SeDenyServiceLogonRight user right, causing systems with the correct policy applied to report incorrect results.
  • CIS Ubuntu Linux 20.04 LTS. Fixed rule 5.4.2.4 "Ensure root password is set". The password hash detection regex did not match valid extended-format hashes (e.g. $6$rounds=656000$...), causing false failures on systems where the root password was correctly configured.

v6.7.0 and earlier

For changes included in previous releases, see the release notes for the corresponding Nanitor product version.