Security baseline for Windows 10 (“Threshold 2”) – DRAFT

[Removing the attachment from this post. Please see updated baseline content for Windows 10 v1507 (TH1) and Windows 10 v1511 (TH2).]

Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 version 1511 (Build 10586, a.k.a., “Version 1511,” “Threshold 2,” “TH2,” “November Update”) along with updated baseline settings for Internet Explorer 11. Note that we are also separately releasing final guidance for the original Windows 10 release, build 10240, a.k.a., “Version 1507,” “Threshold 1” or “TH1.” The only differences between the TH1 final and the TH2 draft are the new settings that apply only to TH2.

The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.)

We will post shortly about technical details and issues in the baselines.

[Attachment updated, 15-Nov-2015 15:42 US Eastern to address minor issues.]

Comments

  • Anonymous
    November 17, 2015
    Will there be an update to SCM that provides an updated LocalGPO.exe that works with Windows 10 as well? [Aaron Margosis] Even better than that. Check inside the download attachment for LGPO.exe. That's a pre-release version of a new tool I'm writing and plan to release soon. Run it without parameters to see the options.

  • Anonymous
    November 18, 2015
    Thanks Aaron. I guess what I was looking for was the capability to export a LGPO which the LocalGPO.exe was able to provide via the LocalGPO.wsf /export command. This has been helpful in the past when creating GPOPacks for our MDT2013u1 system. Will the LGPO.exe tool eventually provide that? [Aaron Margosis] Yes. I just added a /b option to export local policy to a GPO backup. I also added a /g option that imports one or more GPO backups from a specified directory. Not quite the same as "GPOPacks," as it doesn't include the tool in every pack, but all the functionality is available. Also LGPO.exe is a single executable and not a directory full of files as LocalGPO is.

  • Anonymous
    November 18, 2015
    Yay!

  • Anonymous
    November 19, 2015
    Good work guys and gals!

    One question though, ComputerWindows ComponentsMicrosoft Edge:
    Turn off the SmartScreen Filter Enabled - shouldn't it be the other way around or am i missing something?
    Turn off Password Manager Disabled the text is a bit confusing :)

    Kind regards,
    Mikael [Aaron Margosis] Yeah, unfortunately the setting names and the meanings of the Enabled/Disabled options aren't exactly what those of us who spend a lot of time in group policies would expect. Read the description text carefully. Might be a blog post on this topic in the near future. But yes, the settings in the baseline are the correct ones.

  • Anonymous
    November 24, 2015
    We are seeing an issue on W10.1511 where the PC is not able to grab a new IP after the baseline policy is applied. Anyone else seeing this? We've reproduced in multiple locations on multiple networks with multiple devices. Thoughts on what policy setting might be causing this? I'm able to workaround this by hard coding the TCP/IP settings and then removing the policy and forcing a gpupdate. [Aaron Margosis] That sounds like the firewall settings for "Allow unicast response".

  • Anonymous
    November 27, 2015
    Hi, perhaps this is a bug, we found that IE / Edge does not respect the Current User (certmgr.msc) - Untrusted Certificate in 1511 version. [Aaron Margosis] Can you provide some detailed repro steps? Thanks.

  • Anonymous
    November 27, 2015
    We can found: Open Edge or IE to enter https://www.cnnic.cn, this website's certificate is signed by CNNIC ROOT, and then exit. Run certmgr.msc(Current user's certificates manager), export the CNNIC ROOT from Trusted Root Certification Authorities and import it to Untrusted Certificates. Open Edge/IE to enterhttps://www.cnnic.cn again, both of them can't block the visit.
    It seem that Edge/IE does not respect the current user's Untrusted Certificate in 1511 version, because when importing this root certificate to local machine's Untrusted Certificate(certlm.msc) both of them can block the visit. Also there is no problem in Edge/IE before 1511 version and other browsers like Google Chrome.

  • Anonymous
    December 16, 2015
    Has the SCM been released yet for TH2? My company is anxious to get started on this, but I'd like to start with the TH2 SCM. [Aaron Margosis] It hasn't been released yet. Is there a reason that your company cannot proceed with the material attached to this blog post?

  • Anonymous
    December 16, 2015
    I tried the /g option on the LGPO.exe but it says there is no such option. Is this function available yet in the LGPO.exe that is packaged in this posts's attachment? [Aaron Margosis] The version with that feature has not yet been released publicly. Still working on that and other improved features. Expecting to release in early January.

  • Anonymous
    December 16, 2015
    I just thought that it would be better to wait for the SCM if it wasn't too far off [Aaron Margosis] (In my opinion,) SCM won't give you anything important that the already-published baseline content doesn't. And because of limitations in the SCM tool, the SCM baseline will be missing a couple of settings as described here. I'd recommend moving forward with the already-published material.

  • Anonymous
    December 16, 2015
    I found that the material attached in this TH2 post contains only a smaller subset of group policy settings compared to the Windows 10 SCM beta. For example the Win10 Computer Security Compliance 1.0 GPO in SCM Beta contains 500+ unique settings whereas the SCM Windows 10 TH2 - Computer 0.0 GPO here only has 150 unique settings.

    Wouldn't it be better to start with the SCM Beta as opposed to the material attached in this post? I found that some of the group policy settings overlap, at first I thought TH2 only contained the differences/changes from SCM Beta but this doesn't seem to be the case. Would it make sense to somehow merge the settings from the two posts? [Aaron Margosis] The SCM .cab file includes data on tons of settings that are "Not Configured." Those settings never appear in any GPO export. The Excel spreadsheet in the download on the blog post lists all available settings, including those for which we do not specify configuration recommendations.

  • Anonymous
    December 22, 2015
    I guess my Company will/must stay longer at Win7.
    Are documented default settings same for IE11 running in Win7 and Win10?
    Thanks a lot. [Aaron Margosis] Why do they need to stay on Win7? As far as I know, IE11 defaults are the same on all platforms. In many cases, the documented defaults are a best-effort approach and may not be 1000% accurate.

  • Anonymous
    January 05, 2016
    Any update on when the SCM .CAB files will be released? We use SCM for settings review prior to implementation and the last release on Microsoft Connect: Windows 10 Security Compliance Baseline was from 11/2 (for the beta) and your post indicated: "We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog." Thanks! [Aaron Margosis] Date not set yet. What will SCM give you that you can't get from the content attached to this blog post?

  • Anonymous
    January 07, 2016
    The comment has been removed

    • Anonymous
      May 04, 2016
      Trying to import the GPO backups into Group Policy Manager and I don't see them. Group Policy Objects->Manage Backups. I browse to the directory and get nothing. I tried copying them into backup path for my existing GPOs and still can't see the TH2 GPOs. I'm sure it's me, what am I doing wrong?[Aaron Margosis] I'm not an AD expert, but try this: create an empty GPO, right-click, Import Settings... and go through that wizard.(Sorry for the delay in responding -- when they changed the blog platform I stopped getting notifications about pending comments.)
  • Anonymous
    January 10, 2016
    These settings turn on 'Enhanced Protected Mode'. When using roaming profiles on 1511 (or 1507 with patch 3116869 or later) a few things are failing (mostly IE and Edge) when 'Turn on Enhanced Protected Mode' is enabled. The first logon is OK but subsequent logons show the issues, if you delete the %LOCALAPPDATA%MicrosoftWindowsUsrClass.dat file from the affected profile the issues are mostly resolved until the next logon. This is still an issue in build 11082.1000.

  • Anonymous
    January 20, 2016
    The comment has been removed

  • Anonymous
    January 21, 2016
    Do you have the new version of LGPO.exe that has the /g option? I was able to use SCM to create a GPO of the settings I want, but now can't import them. Thanks for you work on this! [Aaron Margosis] Yes, it was posted earlier today: http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx

  • Anonymous
    January 27, 2016
    This is all new to me, would appreciate some guidance. Has the latest policy been released in a .cab file? So i can import this into SCM?
    Is there online tutiorals to find out more about SCM?

    Thanks,
    firaz [Aaron Margosis] First, there is updated baseline content here. The download on that post is also designed to be used outside of SCM, for which cab files are still coming. You might also be interested in two new tools that help fill the gaps left by SCM: LGPO.exe and Policy Analyzer.