diff --git a/.rubocop.yml b/.rubocop.yml
index 873a294..bbd8aad 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -19,10 +19,14 @@ MethodLength:
 NumericLiterals:
   MinDigits: 10
 Metrics/BlockLength:
-  Max: 35
+  Max: 75
 Metrics/CyclomaticComplexity:
   Max: 10
 Metrics/PerceivedComplexity:
   Max: 10
 Metrics/AbcSize:
   Max: 30
+# Lint/AmbiguousBlockAssociation is incompatible with RSpec
+# https://github.com/rubocop-hq/rubocop/issues/4222
+Lint/AmbiguousBlockAssociation:
+  Enabled: false
diff --git a/Rakefile b/Rakefile
index 50b8a28..7564b26 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rake/testtask'
 require 'rubocop/rake_task'
 
diff --git a/controls/account_policies.rb b/controls/account_policies.rb
index dc94a48..838a223 100644
--- a/controls/account_policies.rb
+++ b/controls/account_policies.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'account policies'
 
 control 'windows-001' do
@@ -43,7 +45,7 @@
     its('MaximumPasswordAge') { should be <= attribute('maximum_password_age') }
   end
   describe security_policy do
-    its('MaximumPasswordAge') { should be > 0 }
+    its('MaximumPasswordAge') { should be.positive? }
   end
 end
 
@@ -176,7 +178,7 @@
     its('LockoutBadCount') { should be <= 10 }
   end
   describe security_policy do
-    its('LockoutBadCount') { should be > 0 }
+    its('LockoutBadCount') { should be.positive? }
   end
 end
 
diff --git a/controls/administrative_templates_computer.rb b/controls/administrative_templates_computer.rb
index b47e8f9..95db17e 100644
--- a/controls/administrative_templates_computer.rb
+++ b/controls/administrative_templates_computer.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'Administrative Templates (Computer)'
 
 control 'windows-175' do
diff --git a/controls/administrative_templates_user.rb b/controls/administrative_templates_user.rb
index a665a3d..054e6a4 100644
--- a/controls/administrative_templates_user.rb
+++ b/controls/administrative_templates_user.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'Administrative Templates (User)'
 
 control 'windows-360' do
@@ -15,7 +17,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'ScreenSaveActive' }
@@ -39,7 +41,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'SCRNSAVE.EXE' }
@@ -63,7 +65,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'ScreenSaverIsSecure' }
@@ -87,17 +89,11 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'ScreenSaveTimeOut' }
       its('ScreenSaveTimeOut') { should cmp <= 900 }
-    end
-  end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop' }.each do |entry|
-    describe registry_key(entry) do
-      it { should exist }
-      it { should have_property 'ScreenSaveTimeOut' }
       its('ScreenSaveTimeOut') { should_not eq 0 }
     end
   end
@@ -118,7 +114,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'NoToastApplicationNotificationOnLockScreen' }
@@ -145,7 +141,7 @@
   only_if('This Control only executes if attribute(\'level_1_or_2\') is set to 2') do
     attribute('level_1_or_2') == 2
   end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Assistance\\Client\\1.0' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Assistance\\Client\\1.0" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'NoImplicitFeedback' }
@@ -169,7 +165,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'SaveZoneInformation' }
@@ -193,7 +189,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'ScanWithAntiVirus' }
@@ -219,7 +215,7 @@
   only_if('Only for Windows Server 2016, 2019 and if attribute(\'level_1_or_2\') is set to 2') do
     (((os[:name].include? '2016') || (os[:name].include? '2019')) && attribute('level_1_or_2') == 2)
   end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\CloudContent' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'ConfigureWindowsSpotlight' }
@@ -245,7 +241,7 @@
   only_if('Only for Windows Server 2016, 2019') do
     ((os[:name].include? '2016') || (os[:name].include? '2019'))
   end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\CloudContent' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'DisableThirdPartySuggestions' }
@@ -271,7 +267,7 @@
   only_if('Only for Windows Server 2016, 2019 and if attribute(\'level_1_or_2\') is set to 2') do
     (((os[:name].include? '2016') || (os[:name].include? '2019')) && attribute('level_1_or_2') == 2)
   end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\CloudContent' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'DisableWindowsSpotlightFeatures' }
@@ -297,7 +293,7 @@
   only_if('Only for Windows Server 2016, 2019 and if attribute(\'level_1_or_2\') is set to 2') do
     (((os[:name].include? '2016') || (os[:name].include? '2019')) && attribute('level_1_or_2') == 2)
   end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\CloudContent' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'DisableWindowsSpotlightFeatures' }
@@ -321,7 +317,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'NoInplaceSharing' }
@@ -349,7 +345,7 @@
   ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
   ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html'
   ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\Windows\\Installer' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Installer" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'AlwaysInstallElevated' }
@@ -376,7 +372,7 @@
   only_if('This Control only executes if attribute(\'level_1_or_2\') is set to 2') do
     attribute('level_1_or_2') == 2
   end
-  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + '\\Software\\Policies\\Microsoft\\WindowsMediaPlayer' }.each do |entry|
+  registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\WindowsMediaPlayer" }.each do |entry|
     describe registry_key(entry) do
       it { should exist }
       it { should have_property 'PreventCodecDownload' }
diff --git a/controls/advanced_audit_policy_configuration.rb b/controls/advanced_audit_policy_configuration.rb
index 7260204..aec26d2 100644
--- a/controls/advanced_audit_policy_configuration.rb
+++ b/controls/advanced_audit_policy_configuration.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'Advanced Audit Policy Configuration'
 
 control 'windows-146' do
diff --git a/controls/advanced_windows_security_from_best_practices.rb b/controls/advanced_windows_security_from_best_practices.rb
index 0ee9122..3ddde08 100644
--- a/controls/advanced_windows_security_from_best_practices.rb
+++ b/controls/advanced_windows_security_from_best_practices.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'advanced windows security from best practices'
 
 # control 'windows-base-100' do
diff --git a/controls/local_policies.rb b/controls/local_policies.rb
index f994a73..5fc18b2 100644
--- a/controls/local_policies.rb
+++ b/controls/local_policies.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'local policies'
 
 control 'windows-010' do
@@ -911,7 +913,7 @@
   only_if('This Control only executes if attribute(\'ms_or_dc\') is set to MS') do
     attribute('ms_or_dc') == 'MS'
   end
-  describe(users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-500/ }) do
+  describe(users.where { uid =~ /S-1-5-21-\d+-\d+-\d+-500/ }) do
     it { should exist }
     it { should be_disabled }
   end
@@ -959,7 +961,7 @@
   only_if('This Control only executes if attribute(\'ms_or_dc\') is set to MS') do
     attribute('ms_or_dc') == 'MS'
   end
-  describe(users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-501/ }) do
+  describe(users.where { uid =~ /S-1-5-21-\d+-\d+-\d+-501/ }) do
     it { should exist }
     it { should be_disabled }
   end
@@ -1306,7 +1308,7 @@
   describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters') do
     it { should exist }
     it { should have_property 'MaximumPasswordAge' }
-    its('MaximumPasswordAge') { should cmp > 0 }
+    its('MaximumPasswordAge') { should cmp.positive? }
   end
   describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters') do
     it { should exist }
diff --git a/controls/windows_firewall_with_advanced_security.rb b/controls/windows_firewall_with_advanced_security.rb
index 670254c..c2a2848 100644
--- a/controls/windows_firewall_with_advanced_security.rb
+++ b/controls/windows_firewall_with_advanced_security.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 title 'windows firewall with advanced policy'
 
 control 'windows-120' do