(127) Windows Autopilot - "Required" Reboots

As part of CIS Windows 11 Benchmark 3.0.0, there are five settings which cause reboots during Autopilot.

You can check in registry for the "RequiredReboots" HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs

Solutions:

Settings Catalog:

Create a separate policy with Settings Catalog and assign to a "User Context" that is assign to a user group.

Win32 App:

Place these settings as a Win32 App.

secedit /export /cfg secedit.cfg /areas securitypolicy user_rights
$secedit = Get-Content secedit.cfg
$secedit = $secedit -replace "PasswordHistorySize.*", "PasswordHistorySize = 24" <# Enforce password history #> `
-replace "MaximumPasswordAge.*", "MaximumPasswordAge  = 365" <# Maximum password #> `
-replace "MinimumPasswordAge.*", "MinimumPasswordAge= 1" <# Minimum password#> `
-replace "MinimumPasswordLength.*", "MinimumPasswordLength = 14" <# Minimum Password Length#> `
-replace "PasswordComplexity.*", "PasswordComplexity = 1" <# Password Complexity #> 

$secedit | Out-File seceditnew.cfg
secedit /configure /cfg seceditnew.cfg /db seceditnew.sdb /areas securitypolicy user_rights
gpupdate /force

The detect.ps1 would be checking against the values like:

secedit /export /cfg secedit.cfg
$secedit = Get-Content secedit.cfg
$settings = @(
  "PasswordHistorySize = 30", # Enforce password history: 24
  "MaximumPasswordAge = 5", # Maximum password: 365
  "MinimumPasswordAge = 1", # Minimum password: 1
  "MinimumPasswordLength = 15", # Minimum Password Length: 14
  "PasswordComplexity = 1", <# Password Complexity: Enabled #>

As this Win32 app will be deployed to "All Devices", in the ESP make sure to set this setting "Only fail selected blocking apps in technician phase" as No.