Windows Ink Workspace must be configured to disallow access above the lock.

STIG ID: WN11-CC-000385  |  SRG: SRG-OS-000031-GPOS-00012 |  Severity: medium (CAT II)  |  CCI: CCI-000060 |  Vulnerability Id: V-253424

Vulnerability Discussion

This action secures Windows Ink, which contains applications and features oriented toward pen computing.

Note: A different registry location is needed when systems are managed by Intune versus GPO.

Check

If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\WindowsInkWorkspace (For GPO-managed systems)
Or
Registry Path: \SOFTWARE\Microsoft\PolicyManager\current\device\WindowsInkWorkspace (For Intune-managed systems)

Value Name: AllowWindowsInkWorkspace
Value Type: REG_DWORD
Value data: 1

Fix

Disable the convenience PIN sign-in.

For GPO-managed systems:

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Ink Workspace >> Set "Allow Windows Ink Workspace" to "Enabled and set Options On, but disallow access above lock".

For Intune-managed systems:

Set the Windows Ink Workspace Policy to disallow access above lock.