The convenience PIN for Windows 11 must be disabled.

STIG ID: WN11-CC-000370  |  SRG: SRG-OS-000095-GPOS-00049 |  Severity: medium |  CCI: CCI-000381 |  Vulnerability Id: V-253423 | 

Vulnerability Discussion

This policy controls whether a domain user can sign in using a convenience PIN to prevent enabling (Password Stuffer).

Check

If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\System

Value Name: AllowDomainPINLogon
Value Type: REG_DWORD
Value data: 0

Fix

Disable the convenience PIN sign-in.

To correct this, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> Set "Turn on convenience PIN sign-in" to "Disabled".