Windows 10 nonpersistent VM sessions must not exceed 24 hours.

STIG ID: WN10-00-000250  |  SRG: SRG-OS-000185-GPOS-00079 |  Severity: medium |  CCI: CCI-001199 |  Vulnerability Id: V-220738 | 

Vulnerability Discussion

For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, the organization should enforce that sessions be terminated within 24 hours. This would ensure any data stored on the VM that is not encrypted or covered by Credential Guard is deleted.

Check

Ensure there is a documented policy or procedure in place that nonpersistent VM sessions do not exceed 24 hours. If the system is NOT a nonpersistent VM, this is Not Applicable.

If no such documented policy or procedure is in place, this is a finding.

Fix

Set nonpersistent VM sessions to not exceed 24 hours.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.