Security baseline for Windows 10 “Creators Update” (v1703) – DRAFT


Microsoft is pleased to announce the beta release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. Please evaluate this proposed baseline and send us your feedback via blog comments below.

Download the content here: Windows-10-RS2-Security-Baseline

Microsoft is also announcing changes to the tool sets and URLs for managing Windows security configuration baselines. Those changes are described here.

The downloadable attachment to this blog post includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. New in this release, the spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM).

The most significant differences between this baseline and that for Windows 10 v1607 (a.k.a., “Anniversary Update,” “Redstone 1”, RS1) are:

  • Disabling the Server Message Block version 1 (SMBv1) protocol, using a custom “MS Security Guide” ADMX file so that the settings can be exposed through the Group Policy editor. Please read the caveats in the explanation text carefully. We have posted a separate blog article on that subject here.
  • Removing the “Untrusted Font Blocking” setting. We discuss the reasons for this change here.
  • Disabling VBScript in Internet Explorer when browsing sites in the Internet or Restricted Sites security zones.
  • Removing the “Network access: Do not allow storage of passwords and credentials for network authentication” setting. Configuring this setting makes it impossible to configure a scheduled task that needs authenticated network access with a username and password.
  • Disabling TLS 1.0 support for HTTPS sites in Internet Explorer, allowing only TLS 1.1 and TLS 1.2.
  • Disabling default HomeGroup and Xbox services that are not needed on managed enterprise computers, conforming to the Server guidance we recently published.
  • Exposing two more settings through the custom “MS Security Guide” ADMX to enforce protections for 32-bit processes and to “Turn on Windows Defender protection against Potentially Unwanted Applications.”

The Documentation subfolder in the downloadable zip-file attachment includes a spreadsheet showing the full set of differences between the RS1 and RS2 baselines. The spreadsheet was produced using Policy Analyzer.

As mentioned above, we invite and appreciate your feedback on this draft baseline. We will try to publish the final baseline within two weeks.


Comments (6)

  1. Yoshihiro Kawabata says:

    Thank you.
    I hope this security baseline document Japanese edition.
    and I hope to support the Security And Audit solution – Security Baseline Assessment of Microsoft Operations Management Suite.
    for share this our customers/partners.

  2. Jes Søndergaard Jensen says:

    •Disabling TLS 1.0 support for HTTPS sites in Internet Explorer, allowing only TLS 1.1 and TLS 1.2.
    This is giving us a lot of issues, as many sites still seems to use TLS 1.0, so we will not be able to implement this at the moment.
    The rest seems fine for now.

    1. Kurotama Fukui says:

      Sometimes you need to break something in order to fix it.

    2. [Aaron Margosis] New whitepaper: “Solving the TLS 1.0 Problem.” https://www.microsoft.com/en-us/download/details.aspx?id=55266
  3. Edward Blake says:

    Does this require Windows 10 in order to be able to see the custom settings? Can previous versions of Windows be used to modify these settings.

    [Aaron Margosis] No – just copy the SecGuide.admx into your %windir%\PolicyDefinitions or central store, and the SecGuide.adml into its en-us subdirectory.
  4. Peter Häcker says:

    Thanks for your work!
    Hopefully, we get this also for Windows Server – include the Default setting and comparison to the last OS Version.

    [Aaron Margosis] RS2 won’t include a major server release so we aren’t updating the Windows Server baseline at this time.
    I meant to mention that we aren’t including the “Default” column in the spreadsheet anymore, for a few reasons:
    * The default for GPOs is always “Not Configured;”
    * The default behavior in the absence of a configured setting might not map to one of the GPO options;
    * The default behavior in the absence of a configured setting can change between OS releases, and we can’t review every single feature/setting for every single release, so by not including the Default column, we avoid providing potentially inaccurate documentation.

    Oh, and for comparing to earlier baselines, check out Policy Analyzer.

Skip to main content