Security baseline for Windows 10 "Fall Creators Update" (v1709) – DRAFT

Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for Windows 10 “Fall Creators Update,” also known as version 1709, “Redstone 3,” or RS3. Please evaluate this proposed baseline and send us your feedback via blog comments below.

(Note: the final version of this baseline was published here.)

The downloadable attachment to this blog post includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. The spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM).

The differences between this baseline and that for Windows 10 v1703 (a.k.a., “Creators Update,” “Redstone 2”, RS2) are:

  • Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: Reduce attack surfaces with Windows Defender Exploit Guard. Note that for this draft, we are enabling “block” mode for all of these settings. We are taking a particularly careful look at the “Block office applications from injecting into other process;” if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe with this draft baseline.
  • Enabling Exploit Guard’s Network Protection feature to prevent any application from accessing web sites identified as dangerous, including those hosting phishing scams and malware. This extends the type of protection offered by SmartScreen to all programs, including third-party browsers.
  • Enabling a new setting that prevents users from making changes to the Exploit protection settings area in the Windows Defender Security Center.

We also recommend enabling Windows Defender Application Guard. Our testing has proven it to be a powerful defense. We would have included it in this baseline, but its configuration settings are organization-specific.

The old Enhanced Mitigation Experience Toolkit (EMET) add-on is not supported on Windows 10 v1709. Instead, we offer Windows Defender Exploit Guard’s Exploit Protection, which is now a built-in, fully-configurable feature of Windows 10. Exploit Protection brings the granular control you remember from EMET into a new, modern feature. Our download package includes a pre-configured, customizable XML file to help you add exploit mitigations to many common applications. You can use it as-is, or customize it for your own needs. Note that you configure the corresponding Group Policy setting by specifying the full local or server file path to the XML file. Because our baseline cannot specify a path that works for everyone, it is not included in the baseline packages GPOs – you must add it yourself.

As mentioned above, we invite and appreciate your feedback on this draft baseline. We plan to publish the final baseline for v1709 within two weeks.

Comments

  • Anonymous
    October 02, 2017
    Will System Center Configuration Manager CB be able to manage the latest version of Windows Defender and the new features?
  • Anonymous
    October 02, 2017
    Great overview, however I'm missing particular Windows 10 RS3 security features like Application Guard and Exploit Guard settings.[Aaron Margosis] The blog post explains both - you have to configure them for your own environment. There isn't a "one size fits all" baseline we can provide for those.
  • Anonymous
    October 03, 2017
    If someone attempts to attack a system with both features enabled, and the attack is blocked what system events should I expect to see in the Windows event logs?Will SCCM or Intune automatically alert on the failed attacks?
    • Anonymous
      October 04, 2017
      +1 for @Robert Rathbun question - can you pls explain how an admin is alerted?
  • Anonymous
    October 04, 2017
    I agree with Ronny, even though this has to be suited for specific business scenarios, could Microsoft's internal implementation be published as a lead? Not asking for domains specific to be compromised, but an example including the nature of domains that are trusted etc. and what domains are not. I've seen examples where Google is trusted but not the landing page which seems like a good idea.Great work posting baseline DRAFT prior to release. Hope the FINAL version can be ready before 1709 is CBB.
  • Anonymous
    October 04, 2017
    Is the Defender policy meant to be used on systems managed by SCCM?[Aaron Margosis] Why wouldn't it be?
    • Anonymous
      October 13, 2017
      Is it redundant or would it interfere with settings pushed out by SCCM.
      • Anonymous
        October 19, 2017
        SCCM uses local Group policy to manage Defender. Group Policies would override SCCM settings.
  • Anonymous
    October 10, 2017
    There is no .admx Template for Windows Defender Security Center. The policy setting is shown as the "Extra Registry Setting".During an import, the Import Settings Wizard asks for the "Migrating References" which means that the policy contains references to security principals. It would be great to correct the issues in the "FINAL" version.[Aaron Margosis] Make sure you're running on a v1709 system or have the v1709 ADMX files. There are new settings in v1709 that aren't represented in the ADMX files from earlier Windows versions.
    • Anonymous
      October 10, 2017
      I have in mind the "MSFT Windows 10 RS3 - Computer" GPO.
  • Anonymous
    October 17, 2017
    Is there any documentation on how to add these to GPO repositories?They are not in the normal msi to unpack the templates etc.[Aaron Margosis] The GPO backups can be imported in Active Directory Group Policy, or you can use the scripts in the package along with LGPO.exe to apply them to local Group Policy. The ADMX/ADML files can simply be copied into the policy definition repository you use now.
  • Anonymous
    October 17, 2017
    Does anyone know when the new admx files for group policy will be released for 1709? We were told that they were supposed to be released when 1709 goes public. There is a new option call "Do not allow update deferral policies to cause scans against Windows Update" that is supposed to fix machines from randomly upgrading and bypassing WSUS.https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/[Aaron Margosis] They're here: https://www.microsoft.com/en-us/download/details.aspx?id=56121
  • Anonymous
    October 17, 2017
    When is the final baseline for v1709 available?[Aaron Margosis] Right now!
    • Anonymous
      October 18, 2017
      Thanks for your work!