Security baseline for Windows 10 "Creators Update" (v1703) – DRAFT

Microsoft is pleased to announce the beta release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. Please evaluate this proposed baseline and send us your feedback via blog comments below.

(Note: the final version of this baseline was published here.)

Microsoft is also announcing changes to the tool sets and URLs for managing Windows security configuration baselines. Those changes are described here.

The downloadable attachment to this blog post includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. New in this release, the spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM).

The most significant differences between this baseline and that for Windows 10 v1607 (a.k.a., “Anniversary Update,” “Redstone 1”, RS1) are:

  • Disabling the Server Message Block version 1 (SMBv1) protocol, using a custom “MS Security Guide” ADMX file so that the settings can be exposed through the Group Policy editor. Please read the caveats in the explanation text carefully. We have posted a separate blog article on that subject here.
  • Removing the “Untrusted Font Blocking” setting. We discuss the reasons for this change here.
  • Disabling VBScript in Internet Explorer when browsing sites in the Internet or Restricted Sites security zones.
  • Removing the “Network access: Do not allow storage of passwords and credentials for network authentication” setting. Configuring this setting makes it impossible to configure a scheduled task that needs authenticated network access with a username and password.
  • Disabling TLS 1.0 support for HTTPS sites in Internet Explorer, allowing only TLS 1.1 and TLS 1.2.
  • Disabling default HomeGroup and Xbox services that are not needed on managed enterprise computers, conforming to the Server guidance we recently published.
  • Exposing two more settings through the custom “MS Security Guide” ADMX to enforce protections for 32-bit processes and to “Turn on Windows Defender protection against Potentially Unwanted Applications.”

The Documentation subfolder in the downloadable zip-file attachment includes a spreadsheet showing the full set of differences between the RS1 and RS2 baselines. The spreadsheet was produced using Policy Analyzer.

As mentioned above, we invite and appreciate your feedback on this draft baseline. We will try to publish the final baseline within two weeks.