Security baseline for Windows 10 (v1511, "Threshold 2") -- FINAL

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.)

These are the updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers:

  • Enabled "Turn off Microsoft consumer experiences," which is a new setting as of version 1511.
  • Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now.

Windows 10 TH2 Security Baseline.zip

Comments

  • Anonymous
    January 24, 2016
    Thanks, great timing, looking forward to the cab-files :)

    (The zip is lacking GP Reports though) [Aaron Margosis] Thanks for catching that. The attachment has been updated. (I had to rename the zip file to get the blog platform to realize that there was a change.)

  • Anonymous
    January 24, 2016
    "Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule."

    Sounds good. We had some issues with recently deployed machines. I'll implement this new policy set and check if this fixes the DHCP issues.

  • Anonymous
    January 25, 2016
    How do we import into SCM? The file is downloading as a .zip, but you mention that you had uploaded the cab [Aaron Margosis] This download is independent of and separate from SCM. The .cab file will be coming soon and will be announced here, but it's not available yet.

  • Anonymous
    January 26, 2016
    How do I import it to Domain GPO?
    What I'm going to do, I'm going to create a dummy GPO object and just copy relevant files from GPOs directly to SYSVOL. Is it the right way to do it, or there is some other methods?
    Thank you. [Aaron Margosis] Hi, Alexey! The zip file includes GPO backups. You can import those directly.

  • Anonymous
    February 02, 2016
    Fantastic stuff!

    I should have come back earlier! I finally pinpointed the "Allow Unicast" setting to be causing DHCP issues in my test build. It took a long time to pinpoint (but I learnt a lot, it's a beta, no hard feelings!) as writing up something with my test results to send in but the beta was over!

    It's worth noting that there is a setting in TH2 that generally disallows unicast responses, but explicitly does not apply to DHCP settings. This one has been enabled in the baseline and I can confirm does not impact DHCP.

    Thanks for noting the settings that you changed, I'll update my baseline. Great work team! [Aaron Margosis] The setting disallowing unicast responses has been in our Windows Firewall guidance and that of others also (like the Center for Internet Security) for ages. I'm glad we're finally removing it. Re the setting that's supposed to disallow unicast but not for DHCP -- I think I know what you're referring to and I believe the documentation about that is just wrong. We saw something that was supposed to be a fix but we continued to see problems.

  • Anonymous
    February 08, 2016
    The comment has been removed

  • Anonymous
    February 22, 2016
    On a domain based network but with the computer not joined to the domain, after applying this baseline using the local policy, and after removing "local user" from "Deny access to this computer from the network" and "Deny log on through Remote Desktop Services", and after confirming that the existing inbound firewall rules TCP,UDP 3389 for all profiles was enabled, I could not RDP into the machine until the computer had joined the domain. Is this a policy issue or a firewall issue? Could it be "Prohibit connection to non-domain networks when connected to domain authenticated network"? We have the need to develop a golden image via RDP without joining the domain while being attached to the domain network. [Aaron Margosis] Did you reboot after changing the user rights assignments, and did you go into System Properties (sysdm.cpl) / Remote and enable remote desktop connections?

  • Anonymous
    February 23, 2016
    Didn't need to do that because user is a local admin and it was already populated. It started working for the local user only after doing the steps in my previous post. All rdp attempts were with a local account before and after joining domain. [Aaron Margosis] OK. I posted those suggestions only after testing them myself and verifying that I could RDP using a local account without having to domain-join.

  • Anonymous
    February 29, 2016
    Hello,

    Any news about SCM baseline availability?
    Thanks. [Aaron Margosis] It's been posted. Run SCM and it will download automatically.

  • Anonymous
    March 01, 2016
    Applying this security baseline on a W10 Client make Maps stop working. MapBroker service is running as Network Service account and this security baseline somehow avoid this service to start. If, for instance you change the service to start as Local System, it work ok. Does this happen to someone else? [Aaron Margosis] How does Maps stop working? The MapsBroker ("Downloaded Maps Manager") service is marked as Automatic (Delayed Start). I see it in a stopped state on multiple machines, both with and without the baseline applied. If I start the service manually (e.g., sc start MapsBroker), it runs for a bit and then exits with an exit status of 0. If I start the Maps app, the MapsBroker service starts and remains running until several seconds after the Maps app is closed. The permissions on the service (AccessChk -l -c MapsBroker) grant Start and Stop permissions to Authenticated Users and to All Application Packages (UWP AppContainer apps). Maps can start the service whenever needed.

  • Anonymous
    March 02, 2016
    Thank you Aaron, reviewing my GPO´s a realize we were setting the user right assignments for "Increase a process working set" privilege to NT AUTHORITYLOCAL SERVICE, BUILTINAdministrators. Once I have set it to "Not Configured" The service MapsBroker starts normally and Maps Appx work without issues.

  • Anonymous
    March 03, 2016
    Hi,

    The guideline recommendation for UNC Hardening on SYSVOL is:
    *SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

    However when I use these settings I get error when trying to apply some of the GPO's. I've seen more people with the same issue and they solve it by setting the values to:
    *SYSVOL RequireMutualAuthentication=0, RequireIntegrity=0
    See https://community.spiceworks.com/topic/1119601-windows-10-group-policy-issue

    What should the value be set too?

  • Anonymous
    March 03, 2016
    When applying the Win10-1511 Computer Security Compliance 1.0 section from SCM to a test computer, and then trying to set up a PIN in Settings-Accounts-Sign-In Options, I'm now presented with the error "Logon failure: the user has not been granted the requested logon type at this computer.". Logged in account is an admin. For the life of me I can't find which setting is causing this. Any ideas?

    Thanks. [Aaron Margosis] It's due to a bug in Windows that is being fixed in an upcoming release. The policy is the "Access this computer from the network" user rights assignment. The PIN feature itself doesn't require the network logon right, but when you set up the PIN, it asks you to re-enter your password to verify that the person setting up the PIN is the authorized user. When it does this, it validates the password by performing a local logon using the network logon type (LOGON32_LOGON_NETWORK, 3). If the user isn't granted the network logon type on the local computer, this test fails. The best workaround is to relax that assignment while setting up the PIN, and then after the PIN has been established, return the assignment to the value recommended in the baseline.

  • Anonymous
    March 31, 2016
    Was this baseline designed for corporations only or it could be used at home workstations as well? [Aaron Margosis] It's intended primarily for well-managed enterprise computers. I guess it could be used on home computers as well, but I don't think we've had any feedback on use in those scenarios.

  • Anonymous
    April 17, 2016
    Please keep in mind standalone computers - we use SCM to configure standalone systems to comply with the DISA STIG settings. right now it's done manually by massaging the Baselines and using GPOPacks...we're still waiting for SCM import of STIGs (hint, hint)...and mandatory use of Windows 10 for these systems isn't far off.

  • Anonymous
    May 09, 2016
    Has the SCM CAB files for TH2 been released? It has been about a half a year since the announcement.[Aaron Margosis] Yes. If you start SCM on an internet-connected computer it will download the CAB files for v1511. Note, though, that there are a couple of Advanced Auditing recommendations that SCM does not currently have a representation for. The download on this blog post is more complete.(Sorry for the delay in responding — when they changed the blog platform I stopped getting notifications about pending comments.)

    • Anonymous
      May 25, 2016
      I need the CAB files on a computer with no internet connection. Is there a way to download them from the Webb and transfer to the offline computer via USB?
  • Anonymous
    May 25, 2016
    I need the CAB files for a offline computer, is there a place to download them from?Best regards[Aaron Margosis] Try these links:
    http://go.microsoft.com/fwlink/?LinkID=733510
    http://go.microsoft.com/fwlink/?LinkID=733512

  • Anonymous
    June 07, 2016
    Why does 1511 reset the local security policy "Network access: Let Everyone permissions apply to anonymous users" from Enabled back to Disabled? As far as I remember this is the first time that a user defined security policy setting has been overwritten with an update of Windows?Mark.P[Aaron Margosis] I wasn't aware of that. Nor have I been aware of anyone configuring that to Enabled and restoring that ancient behavior.

    • Anonymous
      June 07, 2016
      Yes, unfortunately it does for us at clients running our software upon installing 1511. And we are not alone relying on that switch to be enabled. Have a look at McAfee Storage Scan running as a service. They face the same issue on Scanners running with Windows 10. Follow the link and search for "everyoneincludesanonymous". https://kc.mcafee.com/corporate/index?page=content&id=KB81982&vse0814[Aaron Margosis] I'll probably get some heat for saying this, but I cannot understand how a product that purportedly serves the purpose of enhancing security justifies requiring the degrading of a security setting back to the state that existed prior to Windows XP Service Pack 2. SMH.
      • Anonymous
        June 09, 2016
        I totally agree with you. But the decision to use Anonymous-Login long time ago in our product wasn't made by me. It just puzzles me, that although this is a user-defined setting with a known default, it is reverted back to default by merely a windows update. Organizations are usually not happy when Microsoft alters settings within the local security policy. As a side note, using anonymous login is restricted to named pipes and shares per default.
  • Anonymous
    June 20, 2016
    The GPOPack.WSF that is produced when creating a GPO pack (using localGPO.wsf) does not have windows 10 support in its code so it fails when using it to apply a GPOPack to a windows 10 computer. (Says operating system is not supported)[Aaron Margosis] The LocalGPO tool hasn't been supported for a while. LGPO.exe is its replacement.

  • Anonymous
    July 12, 2016
    All,This Baseline completely breaks the ability to see App launcher Icons or any other Icon in the ribbon of Office 365. I have verified that the root cause is the Internet Explorer 11 Baseline that is applied. Whoever the genius was that created the IE 11 Baseline obviously does Not work with Office 365. I have hundreds of machines that are impacted by this release and it is a major issue. Anyone reading this, PLEASE save yourself a huge headache and do not apply the IE11 Baseline as it will break your Office 365 functionality.[Aaron Margosis] Are you running Windows 10? The problem isn't the IE baseline - it's the "untrusted font blocking" feature in the Windows 10 baseline:Computer Configuration\Administrative Templates\System\Mitigation Options!Untrusted Font Blocking: EnabledOffice 365 uses custom fonts to render the app icons, and IE uses GDI to render those fonts. With Untrusted Font Blocking enabled, the fonts can't be rendered. Other browsers, including Microsoft Edge, use different graphics technologies from GDI and so aren't affected by the policy.

  • Anonymous
    July 13, 2016
    The comment has been removed

  • Anonymous
    August 10, 2016
    Do you know of a bug which causes the machine to get locked out by BitLocker when using the Bitlocker SCM for 1511 even when the user has NOT entered their password incorrectly 10 times (as set by the threshold)...?More info here : https://social.technet.microsoft.com/Forums/en-US/71401581-41e9-4c2e-beab-1f6528e30f95/interactive-logon-machine-account-lockout-threshold?forum=mdopmbam

  • Anonymous
    August 17, 2016
    I don't see the .CAB file in the ZIP, has it been included by now?[Aaron Margosis] These baselines aren't designed to be incorporated into SCM. When you run SCM it looks online for updated content.

  • Anonymous
    August 22, 2016
    Hi Aaron. In January you stated that EMET settings where "temporarily" removed from the baseline, as the upcoming version of EMET would be in a different format. As of today and according to KB2458544, EMET is going End of Life on January 27, 2017. With no word or hint on that "upcoming" version of EMET, it is impossible getting a Change Board approving an enterprise rollout, considering that it will soon be unsupported. For the same reasons, any installed installations would need to be uninstalled by that date (unless one dares running unsupported software).Is EMET 6 kept so secret nobody is supposed to know about it, or has it silently died and nobody wants to bring up the topic any more?

  • Anonymous
    September 01, 2016
    Hi Aaron. We have recently applied TH2 Group Policy templates and recommended policy settings for Windows 10.Unfortunately there is a setting that if applied, will have bitlocker lock your machine (requiring key) after 10 non-consecutive failed logon attempts. The counter for resets for locking the machine account does not restart unless you have the "Access this computer from the network" has included Users or everyone or Authenticated users.The TH2 baseline has this set to "Administrators"Hopefully you guys will fix this in TH3 or whatever and I hope I have helped someone with the bitlocker issue that we had.[Aaron Margosis] Thanks. Known issue, among others with the "Machine Account Lockout" feature. Strongly considering removing that setting from the next baseline.

  • Anonymous
    September 08, 2016
    Is this compatible with the Anniversary update? I was looking to use the settings on a standalone machine. I ran the install script, the messages show files were copied successfully, the log file is 0KB with no entries (it had errors when I ran it with insufficient permissions the first time). However, after a reboot I see no evidence of the new templates in Local Security Policy, nor have any settings been applied. If I import policy and use the inf from the Windows 10 folder no settings are applied.[Aaron Margosis] Not aware of any issues installing this on v1607, though I haven't tried. We are working on an updated baseline for v1607 and hope to have it published in the next few weeks.

    • Anonymous
      November 30, 2016
      Any update on this?[Aaron Margosis] We released a baseline for v1607 ("Anniversary Update")
  • Anonymous
    March 10, 2017
    Hi,Is there any news on the delivery of SCM .CAB files for this Windows 10 baseline? I'm aware it's been > 40 days since the last update.Hoping you can advise, this would be really great to have in the next fortnight or so (messy migration coming up).Cheers,James[Aaron Margosis] It's been out for ages. Run SCM on a system connected to the internet. It will also pick up the baselines for Windows 10 v1607 and for Server 2016. Make sure you have SCM v4.0.

  • Anonymous
    March 13, 2017
    Any chance this baseline meets NISPOM compliance?[Aaron Margosis] Is that different from the STIG?

  • Anonymous
    March 26, 2017
    Hello, For CIS and other baselines, is there a similar release with importable GPO's available?[Aaron Margosis] You'd have to ask the publishers of those baselines.