Security baseline for Windows 10 “Creators Update” (v1703) – FINAL


Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form.

Download the content here: Windows-10-RS2-Security-Baseline-FINAL.zip

This updated content will be incorporated into the Security Compliance Toolkit shortly. (Note that the Security Compliance Manager tool has been retired.)

The differences in this baseline from the v1703 draft version are:

  • The security settings that disallowed Internet Explorer from using downloaded fonts in the Internet and Restricted Sites zones have been removed. This change in IE11 recommendations applies only to Windows 10, and is possible because of Windows 10's additional mitigations as described in the blog post, Dropping the "Untrusted Font Blocking" setting.
  • The enforcement of the default for the User Rights Assignment, Generate security audits (SeAuditPrivilege), has been removed. Enforcing the default does not mitigate contemporary security threats, and hampers the functionality of programs such as System Center Operations Manager (SCOM) that need to change the default.
  • We are enabling the setting, "Do not suggest third-party content in Windows spotlight" in User Configuration\Administrative Templates\Windows Components\Cloud Content. Enabling this setting is consistent with our having previously enabled "Turn off Microsoft consumer experiences."

Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback.

 


Comments (6)

  1. Stephane Dupond says:

    Will the Security Compliance Manager updated accordingly?

    [Aaron Margosis] No – that tool has been retired.
  2. umesh says:

    will corresponding baselines for windows server 2016 be made available?

  3. Lucreitus says:

    I’ve used this settings (client_install with lgpo) then after two boots I couldn’t enter my pc. I enter my password on login screen, it accepts and directly says “User profile service failed the logon User profile cannot be loaded” and turns back to login screen.

    Also I couldn’t find the reason but I can’t reach safe mode with “shift + power”, “f8 on boot” or “CAD”. I had windows install usb, from setup screen I used system recovery. After the recovery still can’t.

    Any ideas?

  4. Mark Hoenig says:

    Your domain settings have users change 14 character complex passwords every 60 days. This against the “Microsoft Password Guidance” document by Robyn Hicock, and against new NIS guidelines. Why?

    [Aaron Margosis] Group Policy and other settings available within Windows don’t offer a way to implement those guidelines.
  5. Daniel says:

    Wait … you recommend to enable “Do not suggest third-party content in Windows spotlight” after you removed it from Windows 10 Pro? You do see the hypocrisy that, do you?

    [Aaron Margosis] Help me out. I have no idea what you’re talking about. Thanks.
  6. dawn wertz says:

    Can these baselines be used in SCCM configuration items?

    [Aaron Margosis] I’m not aware at the moment of a tool that can represent these GPOs in their entirely in the DCM format. We are working on a solution that will address the gap of compliance checking.
Skip to main content