Skip to content

Benchmark Changelog

Benchmark updates are delivered via the compliance feed independently of Nanitor product releases. When updates are available, the Nanitor server fetches them automatically; no manual action is required.

This page tracks benchmark additions, updates, and changes. For a full list of supported benchmarks, see Benchmark Platforms Supported.

Released

v7.1.0 - June 2026

Benchmark updates released following Nanitor v7.1.0. New benchmarks for macOS 26 (Tahoe), Debian Linux 13 (Trixie), and Windows 11 Stand-alone; major CIS version upgrades for Ubuntu 22.04 LTS and Windows Server 2016; and a batch of false-positive corrections across Windows and Apache HTTP Server benchmarks.

New benchmarks

  • CIS macOS 26 (Tahoe) v1.0.0. New benchmark for Apple macOS 26 Tahoe. Automatically assigns to macOS 26 Tahoe devices. Both Level 1 and Level 2 profiles are included.
  • CIS Debian Linux 13 (Trixie) v1.0.0. New benchmark for Debian 13 Trixie, the current Debian stable release. Automatically assigns to Debian 13 agents. Both Level 1 and Level 2 profiles are included.
  • CIS Microsoft Windows 11 Stand-alone v4.0.0. New benchmark for non-domain-joined, non-Intune-managed Windows 11 devices. Automatically assigns to Stand-alone Windows 11 systems.

Major CIS version upgrades

  • CIS Ubuntu Linux 22.04 LTS v3.0.0. Major upgrade from v1.0.0 — a two-version jump with significant rule additions, changes, and removals. Administrators can review and apply baseline changes on their own schedule using the benchmark upgrade controls under Organization Management > General Settings.
  • CIS Microsoft Windows Server 2016 v4.0.0. Major upgrade from v1.3.0 — a three-version jump with 49 rules added, 10 removed, and 191 updated (net +39 rules; 427 of 428 rules automated). Administrators can review and apply baseline changes using the benchmark upgrade controls.

Check corrections and false-positive fixes

  • Apache HTTP Server 2 — DoS Mitigation rules (8.1–8.4). Fixed OVAL logic causing false positives on Debian-based systems: checks for two config file paths were combined with OR instead of AND, causing rules to pass vacuously when the RHEL config file was absent. Also fixed a greedy regex on the Timeout rule (8.1) and corrected check_existence on three rules where Apache's default value is already compliant.
  • Windows benchmarks — SMBv1 false positive when feature is fully removed. Rules checking the mrxsmb10 service now treat a missing service registry key as a passing state — fully uninstalling the SMBv1 feature is compliant and more secure than disabling it. Affects Windows 10, Windows 11, Windows Server 2016, 2019, 2022, 2025, and 2025 Stand-alone benchmarks.
  • Windows Server 2019 — "Deny log on" false positives. Three rules (2.2.17, 2.2.22, 2.2.25) were missing entity_check="at least one" on the trustee SID check, causing false failures when additional accounts such as domain groups were present in the deny list alongside Guests.
  • Windows 11 Intune — ASR rules now accept Warn mode. Six ASR "Audit or higher" rules now accept Warn mode (value 6) alongside Block (1) and Audit (2), matching Microsoft's definition of Warn as a superset of Audit. Affected rules cover child process creation, obfuscated script execution, PSExec/WMI process creation, executable prevalence checks, and ransomware protection.
  • Windows 11 and Windows 10 Enterprise — LAPS registry path corrected. LAPS rules in the AD-joined Enterprise benchmarks now check the modern Windows LAPS registry path (SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS) instead of the legacy AdmPwd path, eliminating false failures on devices using Windows LAPS configured via GPO.
  • Windows Server 2022 — Defender Antivirus rules re-parented. Twenty-four Defender Antivirus rules that became invisible in the UI after a CIS section renumbering (18.9.69 → 18.10.43) have been re-parented to the correct group. The rules were still being evaluated and counted in scores but could not be viewed or managed from the rule list.

v7.0.0 - April 2026

Nanitor v7.0.0 introduces benchmark upgrade controls that give administrators visibility and control over what changes are applied to their baselines. With these controls in place, several previously held-back major CIS version upgrades can now be safely released, alongside one new benchmark and a batch of false-positive corrections.

Server version requirements for this release

Benchmark Requires Nanitor server
Windows 11 Enterprise v4.0.0 7.0.0 or later
Windows Server 2019 v4.0.0 7.0.0 or later
Red Hat Enterprise Linux 9 v2.0.0 7.0.0 or later
Windows Server 2022 Stand-alone v1.0.0 6.7.0 or later
All other changes (false-positive fixes, check corrections) No minimum

Nanitor servers below the required version will continue to receive the prior benchmark versions from the compliance feed until the server is upgraded. The server-version floor on the three major upgrades is deliberate: v7.0.0 introduces benchmark upgrade controls so administrators can review baseline changes before they affect Configuration Health scores.

Major CIS version upgrades

  • CIS Microsoft Windows 11 Enterprise v4.0.0. Major version update from v2.0.0 with 67 new rules, ~301 updated rules, and 31 removed. Aligns with the latest CIS recommendations for Windows 11. Administrators can review and apply changes on their own schedule using the new benchmark upgrade settings under Organization Management > General Settings.
  • CIS Microsoft Windows Server 2019 v4.0.0. Major version update from v1.2.1 with 94 new rules, ~231 updated, and 47 removed. Includes a packaging fix for four empty groups that were missing create entries in the v4.0.0 migration.
  • CIS Red Hat Enterprise Linux 9 v2.0.0. Major version update from v1.0.0 with 225 new rules, ~68 updated, and 173 removed.

New benchmark

  • CIS Microsoft Windows Server 2022 Stand-alone v1.0.0. New benchmark for non-domain-joined Windows Server 2022 devices (374 rules). Automatically assigns to standalone Server 2022 systems alongside the existing domain-joined benchmark.

Check corrections and false-positive fixes

  • Windows benchmarks — "Deny log on" user rights. Corrected inconsistent OVAL checks for "Deny log on as a service" and "Deny log on locally" across multiple Windows benchmarks. Rules now evaluate the correct user rights (SeDenyServiceLogonRight, SeDenyInteractiveLogonRight, SeDenyBatchLogonRight, SeDenyNetworkLogonRight) instead of reporting false failures on systems with the correct policy applied.
  • Windows benchmarks — NullSessionPipes domain controller check. Fixed case-sensitive OVAL regex causing false positives on the NullSessionPipes DC check. Affects Windows Server 2012 R2, 2016, 2022, and 2025.
  • Windows benchmarks — User-related rules by SID and join type. User-related rules now filter by SID and respect the device's machine-join type (domain-joined vs. standalone), reducing false failures on built-in and renamed accounts.
  • CIS Microsoft Windows 11 Intune. Fixed three Defender rule false positives (Allow Behavior Monitoring, Allow Full Scan Removable Drive Scanning, Allow scanning of downloaded files) that were checking Group Policy registry paths instead of the Intune/MDM Policy Manager paths.
  • CIS Microsoft Windows 10 Intune. Fixed LAPS rule registry paths and the "Password Length" rule (105.4 L1) to require 15 or more characters per the current CIS recommendation.

v6.9.1 - March 2026

New benchmark, bug fixes, and check corrections across Windows and Linux platforms.

  • CIS Microsoft Windows Server 2025 Stand-alone v1.0.0. New benchmark for non-domain-joined Windows Server 2025 devices. Automatically assigns to standalone Server 2025 systems. The CPE auto-assignment logic has been updated (NAN-5856) to prevent dual-assignment with the domain-joined benchmark.
  • CIS Ubuntu Linux 24.04 LTS. Fixed false failure results in crontab, UFW, and rsyslog checks.
  • CIS Microsoft Windows Server 2019. Fixed false negative on "Rename guest account" check. Rule now uses SID-based lookup instead of username enumeration.
  • CIS Microsoft Windows Server 2022. Baseline correction included with the WS2019 guest account fix.
  • CIS Microsoft Windows 11 Intune. Fixed 3 Defender rules (Allow Behavior Monitoring, Allow Full Scan Removable Drive Scanning, Allow scanning of downloaded files) that were checking Group Policy registry paths instead of Intune/MDM Policy Manager paths.
  • Print Spooler service check. Fixed false positive when the Spooler service is not installed (common on Server Core). Affected benchmarks: Windows 10, 11 Intune, Server 2012 R2, 2022, 2025, and 2025 Standalone.

v6.9.0 - February 2026

Bug fixes for two benchmarks addressing false failure results reported by customers. No baseline changes; these are targeted corrections to check logic only.

  • CIS Microsoft Windows Server 2019. Fixed rule "Ensure 'Deny log on as a service' to include 'Guests'". The check was evaluating SeDenyInteractiveLogonRight instead of the correct SeDenyServiceLogonRight user right, causing systems with the correct policy applied to report incorrect results.
  • CIS Ubuntu Linux 20.04 LTS. Fixed rule 5.4.2.4 "Ensure root password is set". The password hash detection regex did not match valid extended-format hashes (e.g. $6$rounds=656000$...), causing false failures on systems where the root password was correctly configured.

v6.7.0 and earlier

For changes included in previous releases, see the release notes for the corresponding Nanitor product version.