Security baseline for Windows 10 (v1511, "Threshold 2") — FINAL


Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.)

These are the updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers:

  • Enabled "Turn off Microsoft consumer experiences," which is a new setting as of version 1511.
  • Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now.

Windows 10 TH2 Security Baseline.zip


Comments (24)

  1. Mikael Grath says:

    Thanks, great timing, looking forward to the cab-files :)

    (The zip is lacking GP Reports though)

    [Aaron Margosis] Thanks for catching that. The attachment has been updated. (I had to rename the zip file to get the blog platform to realize that there was a change.)

  2. JPvR says:

    "Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule."

    Sounds good. We had some issues with recently deployed machines. I’ll implement this new policy set and check if this fixes the DHCP issues.

  3. PhillyPhotog says:

    How do we import into SCM? The file is downloading as a .zip, but you mention that you had uploaded the cab

    [Aaron Margosis] This download is independent of and separate from SCM. The .cab file will be coming soon and will be announced here, but it's not available yet.

  4. Alexey Semibratov says:

    How do I import it to Domain GPO?
    What I'm going to do, I'm going to create a dummy GPO object and just copy relevant files from GPOs directly to SYSVOL. Is it the right way to do it, or there is some other methods?
    Thank you.

    [Aaron Margosis] Hi, Alexey!

    The zip file includes GPO backups. You can import those directly.

  5. Gareth Thomas says:

    Fantastic stuff!

    I should have come back earlier! I finally pinpointed the "Allow Unicast" setting to be causing DHCP issues in my test build. It took a long time to pinpoint (but I learnt a lot, it's a beta, no hard feelings!) as writing up something with my test results to send in but the beta was over!

    It's worth noting that there is a setting in TH2 that generally disallows unicast responses, but explicitly does not apply to DHCP settings. This one has been enabled in the baseline and I can confirm does not impact DHCP.

    Thanks for noting the settings that you changed, I'll update my baseline. Great work team!

    [Aaron Margosis] The setting disallowing unicast responses has been in our Windows Firewall guidance and that of others also (like the Center for Internet Security) for ages. I'm glad we're finally removing it.

    Re the setting that's supposed to disallow unicast but not for DHCP — I think I know what you're referring to and I believe the documentation about that is just wrong. We saw something that was supposed to be a fix but we continued to see problems.

  6. Andy Wilkins says:

    I am having issues in merging these baselines with those published by CESG here in the UK, SCM doesn't seem to like the new Win 10 specific settings, such as disabling or allowing Cortana. Is this a known issue?

    [Aaron Margosis] SCM has bugs that have been increasingly exposed by newer baselines. The SCM tool itself hasn't been updated in over three years. :(

  7. havealoha says:

    On a domain based network but with the computer not joined to the domain, after applying this baseline using the local policy, and after removing "local user" from "Deny access to this computer from the network" and "Deny log on through Remote Desktop Services", and after confirming that the existing inbound firewall rules TCP,UDP 3389 for all profiles was enabled, I could not RDP into the machine until the computer had joined the domain. Is this a policy issue or a firewall issue? Could it be "Prohibit connection to non-domain networks when connected to domain authenticated network"? We have the need to develop a golden image via RDP without joining the domain while being attached to the domain network.

    [Aaron Margosis] Did you reboot after changing the user rights assignments, and did you go into System Properties (sysdm.cpl) / Remote and enable remote desktop connections?

  8. havealoha says:

    Didn't need to do that because user is a local admin and it was already populated. It started working for the local user only after doing the steps in my previous post. All rdp attempts were with a local account before and after joining domain.

    [Aaron Margosis] OK. I posted those suggestions only after testing them myself and verifying that I could RDP using a local account without having to domain-join.

  9. Flov84 says:

    Hello,

    Any news about SCM baseline availability?
    Thanks.

    [Aaron Margosis] It's been posted. Run SCM and it will download automatically.

  10. Jesus Belinchon says:

    Applying this security baseline on a W10 Client make Maps stop working. MapBroker service is running as Network Service account and this security baseline somehow avoid this service to start. If, for instance you change the service to start as Local System, it work ok. Does this happen to someone else?

    [Aaron Margosis] How does Maps stop working? The MapsBroker ("Downloaded Maps Manager") service is marked as Automatic (Delayed Start). I see it in a stopped state on multiple machines, both with and without the baseline applied. If I start the service manually (e.g., sc start MapsBroker), it runs for a bit and then exits with an exit status of 0. If I start the Maps app, the MapsBroker service starts and remains running until several seconds after the Maps app is closed. The permissions on the service (AccessChk -l -c MapsBroker) grant Start and Stop permissions to Authenticated Users and to All Application Packages (UWP AppContainer apps). Maps can start the service whenever needed.

  11. Jesus Belinchon says:

    Thank you Aaron, reviewing my GPO´s a realize we were setting the user right assignments for "Increase a process working set" privilege to NT AUTHORITYLOCAL SERVICE, BUILTINAdministrators. Once I have set it to "Not Configured" The service MapsBroker
    starts normally and Maps Appx work without issues.

  12. Jonas Bengtsson says:

    Hi,

    The guideline recommendation for UNC Hardening on SYSVOL is:
    \*SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

    However when I use these settings I get error when trying to apply some of the GPO's. I've seen more people with the same issue and they solve it by setting the values to:
    \*SYSVOL RequireMutualAuthentication=0, RequireIntegrity=0
    See
    https://community.spiceworks.com/topic/1119601-windows-10-group-policy-issue

    What should the value be set too?

  13. Dale says:

    When applying the Win10-1511 Computer Security Compliance 1.0 section from SCM to a test computer, and then trying to set up a PIN in Settings-Accounts-Sign-In Options, I'm now presented with the error "Logon failure: the user has not been granted the requested logon type at this computer.". Logged in account is an admin. For the life of me I can't find which setting is causing this. Any ideas?

    Thanks.

    [Aaron Margosis] It's due to a bug in Windows that is being fixed in an upcoming release. The policy is the "Access this computer from the network" user rights assignment. The PIN feature itself doesn't require the network logon right, but when you set up the PIN, it asks you to re-enter your password to verify that the person setting up the PIN is the authorized user. When it does this, it validates the password by performing a local logon using the network logon type (LOGON32_LOGON_NETWORK, 3). If the user isn't granted the network logon type on the local computer, this test fails. The best workaround is to relax that assignment while setting up the PIN, and then after the PIN has been established, return the assignment to the value recommended in the baseline.

  14. Ed Torres says:

    Was this baseline designed for corporations only or it could be used at home workstations as well?

    [Aaron Margosis] It's intended primarily for well-managed enterprise computers. I guess it could be used on home computers as well, but I don't think we've had any feedback on use in those scenarios.

  15. jvansickler says:

    Please keep in mind standalone computers – we use SCM to configure standalone systems to comply with the DISA STIG settings. right now it’s done manually by massaging the Baselines and using GPOPacks…we’re still waiting for SCM import of STIGs (hint,
    hint)…and mandatory use of Windows 10 for these systems isn’t far off.

  16. Thomas Earley says:

    Has the SCM CAB files for TH2 been released? It has been about a half a year since the announcement.

    [Aaron Margosis] Yes. If you start SCM on an internet-connected computer it will download the CAB files for v1511. Note, though, that there are a couple of Advanced Auditing recommendations that SCM does not currently have a representation for. The download on this blog post is more complete.
    (Sorry for the delay in responding — when they changed the blog platform I stopped getting notifications about pending comments.)
    1. Simon says:

      I need the CAB files on a computer with no internet connection. Is there a way to download them from the Webb and transfer to the offline computer via USB?

  17. Simon åhr says:

    I need the CAB files for a offline computer, is there a place to download them from?

    Best regards

  18. Mark.P says:

    Why does 1511 reset the local security policy “Network access: Let Everyone permissions apply to anonymous users” from Enabled back to Disabled? As far as I remember this is the first time that a user defined security policy setting has been overwritten with an update of Windows?

    Mark.P

    [Aaron Margosis] I wasn’t aware of that. Nor have I been aware of anyone configuring that to Enabled and restoring that ancient behavior.
    1. Mark.P says:

      Yes, unfortunately it does for us at clients running our software upon installing 1511. And we are not alone relying on that switch to be enabled. Have a look at McAfee Storage Scan running as a service. They face the same issue on Scanners running with Windows 10. Follow the link and search for “everyoneincludesanonymous”. https://kc.mcafee.com/corporate/index?page=content&id=KB81982&vse0814

      [Aaron Margosis] I’ll probably get some heat for saying this, but I cannot understand how a product that purportedly serves the purpose of enhancing security justifies requiring the degrading of a security setting back to the state that existed prior to Windows XP Service Pack 2. SMH.
      1. Mark.P says:

        I totally agree with you. But the decision to use Anonymous-Login long time ago in our product wasn’t made by me. It just puzzles me, that although this is a user-defined setting with a known default, it is reverted back to default by merely a windows update. Organizations are usually not happy when Microsoft alters settings within the local security policy. As a side note, using anonymous login is restricted to named pipes and shares per default.

  19. Peteo says:

    The GPOPack.WSF that is produced when creating a GPO pack (using localGPO.wsf) does not have windows 10 support in its code so it fails when using it to apply a GPOPack to a windows 10 computer. (Says operating system is not supported)

    [Aaron Margosis] The LocalGPO tool hasn’t been supported for a while. LGPO.exe is its replacement.
  20. Larry says:

    All,

    This Baseline completely breaks the ability to see App launcher Icons or any other Icon in the ribbon of Office 365. I have verified that the root cause is the Internet Explorer 11 Baseline that is applied. Whoever the genius was that created the IE 11 Baseline obviously does Not work with Office 365.

    I have hundreds of machines that are impacted by this release and it is a major issue. Anyone reading this, PLEASE save yourself a huge headache and do not apply the IE11 Baseline as it will break your Office 365 functionality.

    [Aaron Margosis] Are you running Windows 10? The problem isn’t the IE baseline – it’s the “untrusted font blocking” feature in the Windows 10 baseline:
    Computer Configuration\Administrative Templates\System\Mitigation Options!Untrusted Font Blocking: Enabled
    Office 365 uses custom fonts to render the app icons, and IE uses GDI to render those fonts. With Untrusted Font Blocking enabled, the fonts can’t be rendered. Other browsers, including Microsoft Edge, use different graphics technologies from GDI and so aren’t affected by the policy.
  21. Russell says:

    The zip file is corrupt.

    [Aaron Margosis] No repro. I just downloaded it, extracted it to a new directory, and compared it to the original, and there were no differences. Try downloading again, perhaps? Maybe anti-virus or something similar is interfering?