Security Baseline (Device)

Name

Value

Above Lock

Allow Cortana Above Lock

Block

Administrative Templates

Personalization

Prevent enabling lock screen camera

Enabled

Prevent enabling lock screen slide show

Enabled

MS Security Guide

Apply UAC restrictions to local accounts on network logons

Enabled

Configure SMB v1 client driver

Enabled

  Configure MrxSmb10 driver

Disable driver (recommended)

Configure SMB v1 server

Disabled

Enable Structured Exception Handling Overwrite Protection (SEHOP)

Enabled

WDigest Authentication (disabling may require KB2871997)

Disabled

MSS (Legacy)

MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

Enabled

  DisableIPSourceRoutingIPv6 (Device)

Highest protection, source routing is completely disabled

MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

Enabled

  DisableIPSourceRouting (Device)

Highest protection, source routing is completely disabled

MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)

Enabled

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

Disabled

MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds

Enabled

  KeepAliveTime (Device)

300000 or 5 minutes (recommended)

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

Enabled

MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

Disabled

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

Enabled

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)

Enabled

  ScreenSaverGracePeriod (Device)

5

MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)

Enabled

  TcpMaxDataRetransmissions (Device)

3

MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)

Enabled

  TcpMaxDataRetransmissions (Device)

3

MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

Enabled

  WarningLevel (Device)

90%

DNS Client

Turn off multicast name resolution

Enabled

Link-Layer Topology Discovery

Turn on Mapper I/O (LLTDIO) driver

Disabled

Turn on Responder (RSPNDR) driver

Disabled

Network Connections

Prohibit installation and configuration of Network Bridge on your DNS domain network

Enabled

Prohibit use of Internet Connection Sharing on your DNS domain network

Enabled

Require domain users to elevate when setting a network's location

Enabled

Network Provider

Hardened UNC Paths

Enabled

  Hardened UNC Paths: (Device)

    Name

\\*\SYSVOL

    Value

RequireIntegrity=1,RequireMutualAuthentication=1

    Name

\\*\NETLOGON

    Value

RequireIntegrity=1,RequireMutualAuthentication=1

Windows Connect Now

Configuration of wireless settings using Windows Connect Now

Disabled

Prohibit access of the Windows Connect Now wizards

Enabled

Windows Connection Manager

Minimize the number of simultaneous connections to the Internet or a Windows Domain

Enabled

  Minimize Policy Options (Device)

3 = Prevent Wi-Fi when on Ethernet

Prohibit connection to non-domain networks when connected to domain authenticated network

Enabled

Wireless Display

Require PIN pairing

Enabled

Printers

Allow Print Spooler to accept client connections

Disabled

Point and Print Restrictions

Enabled

  Enter fully qualified server names separated by semicolons (Device)

  Users can only point and print to machines in their forest (Device)

False

  Users can only point and print to these servers: (Device)

True

  When installing drivers for a new connection: (Device)

Show warning and elevation prompt

  When updating drivers for an existing connection: (Device)

Show warning and elevation prompt

Notifications

Turn off toast notifications on the lock screen (User)

Enabled

Audit Process Creation

Include command line in process creation events

Enabled

Credentials Delegation

Encryption Oracle Remediation

Enabled

  Protection Level: (Device)

Force Updated Clients

Remote host allows delegation of non-exportable credentials

Enabled

Device Installation Restrictions

Prevent installation of devices using drivers that match these device setup classes

Enabled

  Also apply to matching devices that are already installed.

True

  Prevented Classes

{d48179be-ec20-11d1-b6b8-00c04fa372a7};{7ebefbc0-3200-11d2-b4c2-00a0C9697d07};{c06ff265-ae09-48f0-812c-16753d7cba83};{6bdd1fc1-810f-11d0-bec7-08002be2092f}

Device Installation

Prevent device metadata retrieval from the Internet

Enabled

Early Launch Antimalware

Boot-Start Driver Initialization Policy

Enabled

  Choose the boot-start drivers that can be initialized:

Good, unknown and bad but critical

Group Policy

Configure registry policy processing

Enabled

  Do not apply during periodic background processing (Device)

False

  Process even if the Group Policy objects have not changed (Device)

True

Configure security policy processing

Enabled

  Do not apply during periodic background processing (Device)

False

  Process even if the Group Policy objects have not changed (Device)

True

Turn off background refresh of Group Policy

Disabled

Internet Communication settings

Turn off downloading of print drivers over HTTP

Enabled

Turn off Internet download for Web publishing and online ordering wizards

Enabled

Logon

Block user from showing account details on sign-in

Enabled

Do not enumerate connected users on domain-joined computers

Enabled

Enumerate local users on domain-joined computers

Disabled

Turn off app notifications on the lock screen

Enabled

Turn off picture password sign-in

Enabled

Turn on convenience PIN sign-in

Disabled

Sleep Settings

Require a password when a computer wakes (on battery)

Enabled

Require a password when a computer wakes (plugged in)

Enabled

Remote Assistance

Configure Offer Remote Assistance

Disabled

Configure Solicited Remote Assistance

Disabled

Remote Procedure Call

Enable RPC Endpoint Mapper Client Authentication

Enabled

Restrict Unauthenticated RPC clients

Enabled

  RPC Runtime Unauthenticated Client Restriction to Apply:

Authenticated

Time Providers

Enable Windows NTP Client

Enabled

Enable Windows NTP Server

Disabled

App runtime

Allow Microsoft accounts to be optional

Enabled

Attachment Manager

Do not preserve zone information in file attachments (User)

Disabled

Notify antivirus programs when opening attachments (User)

Enabled

AutoPlay Policies

Disallow Autoplay for non-volume devices

Enabled

Set the default behavior for AutoRun

Enabled

  Default AutoRun Behavior

Do not execute any autorun commands

Turn off Autoplay

Enabled

  Turn off Autoplay on:

All drives

Credential User Interface

Do not display the password reveal button

Enabled

Enumerate administrator accounts on elevation

Disabled

Prevent the use of security questions for local accounts

Enabled

Application

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

  Maximum Log Size (KB)

32768

Security

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

  Maximum Log Size (KB)

196608

Setup

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

  Maximum Log Size (KB) (Device)

32768

System

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

  Maximum Log Size (KB)

32768

File Explorer

Configure Windows Defender SmartScreen

Enabled

  Pick one of the following settings: (Device)

Warn and prevent bypass

Turn off Data Execution Prevention for Explorer

Disabled

Turn off heap termination on corruption

Disabled

Turn off shell protocol protected mode

Disabled

HomeGroup

Prevent the computer from joining a homegroup

Enabled

Microsoft account

Block all consumer Microsoft account user authentication

Enabled

MAPS

Configure local setting override for reporting to Microsoft MAPS

Disabled

Microsoft Defender Antivirus

Turn off Microsoft Defender Antivirus

Disabled

Network Sharing

Prevent users from sharing files within their profile. (User)

Enabled

Remote Desktop Connection Client

Do not allow passwords to be saved

Enabled

Device and Resource Redirection

Do not allow drive redirection

Enabled

Security

Always prompt for password upon connection

Enabled

Require secure RPC communication

Enabled

Require use of specific security layer for remote (RDP) connections

Enabled

  Security Layer (Device)

SSL

Require user authentication for remote connections by using Network Level Authentication

Enabled

Set client connection encryption level

Enabled

  Encryption Level

High Level

Temporary folders

Do not delete temp folders upon exit

Disabled

RSS Feeds

Prevent downloading of enclosures

Enabled

Store

Turn off the offer to update to the latest version of Windows

Enabled

Windows Logon Options

Sign-in and lock last interactive user automatically after a restart

Disabled

Windows PowerShell

Turn on PowerShell Script Block Logging

Enabled

  Log script block invocation start / stop events:

False

WinRM Client

Allow Basic authentication

Disabled

Allow unencrypted traffic

Disabled

Disallow Digest authentication

Enabled

WinRM Service

Allow Basic authentication

Disabled

Allow unencrypted traffic

Disabled

Disallow WinRM from storing RunAs credentials

Enabled

Auditing

Account Logon Audit Credential Validation

Success+ Failure

Account Logon Logoff Audit Account Lockout

Failure

Account Logon Logoff Audit Group Membership

Success

Account Logon Logoff Audit Logoff

Success

Account Logon Logoff Audit Logon

Success+ Failure

Account Management Audit Application Group Management

Success+ Failure

Audit Authentication Policy Change

Success

Audit Authorization Policy Change

Success

Audit Changes to Audit Policy

Success

Audit File Share Access

Success+Failure

Audit Other Logon Logoff Events

Success+Failure

Audit Security Group Management

Success

Audit Security System Extension

Success

Audit Special Logon

Success

Audit User Account Management

Success+Failure

Detailed Tracking Audit PNP Activity

Success

Detailed Tracking Audit Process Creation

Success

Object Access Audit Detailed File Share

Failure

Object Access Audit Other Object Access Events

Success+ Failure

Object Access Audit Removable Storage

Success+ Failure

Policy Change Audit MPSSVC Rule Level Policy Change

Success+ Failure

Policy Change Audit Other Policy Change Events

Failure

Privilege Use Audit Sensitive Privilege Use

Success+ Failure

System Audit I Psec Driver

Success+ Failure

System Audit Other System Events

Success+ Failure

System Audit Security State Change

Success

System Audit System Integrity

Success+ Failure

Config Refresh

 Provider ID

  Config refresh

Enabled.

  Refresh cadence

90

Defender

Attack Surface Reduction Rules

  Block executable content from email client and webmail

Block

  Block all Office applications from creating child processes

Block

  Block Office applications from creating executable content

Block

  Block Office applications from injecting code into other processes

Block

  Block JavaScript or VBScript from launching downloaded executable content

Block

  Block execution of potentially obfuscated scripts

Block

  Block Win32 API calls from Office macros

Block

  Block credential stealing from the Windows local security authority subsystem

Block

  Block untrusted and unsigned processes that run from USB

Block

  Block Office communication application from creating child processes

Block

  Block Adobe Reader from creating child processes

Block

  Block persistence through WMI event subscription

Block

  Block abuse of exploited vulnerable signed drivers (Device)

Block

Experience

Allow Cortana

Block

Allow Spotlight Collection (User)

0

Allow Windows Spotlight (User)

Block

Do Not Show Feedback Notifications

Feedback notifications are disabled.

Lanman Workstation

Enable Insecure Guest Logons

Disabled

Local Policies Security Options

Accounts Enable Guest Account Status

Disable

Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only

Enabled

Accounts Rename Administrator Account

biadm

Accounts Rename Guest Account

bigst

Interactive Logon Machine Inactivity Limit

900

Interactive Logon Smart Card Removal Behavior

Lock Workstation

Microsoft Network Client Digitally Sign Communications Always

Enable

Microsoft Network Client Digitally Sign Communications If Server Agrees

Enable

Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers

Disable

Microsoft Network Server Digitally Sign Communications Always

Enable

Microsoft Network Server Digitally Sign Communications If Client Agrees

Enable

Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts

Enabled

Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares

Enabled

Network Access Restrict Anonymous Access To Named Pipes And Shares

Enable

Network Access Restrict Clients Allowed To Make Remote Calls To SAM

O:BAG:BAD:(A;;RC;;;BA)

Network Security Allow Local System To Use Computer Identity For NTLM

Allow

Network Security Allow PKU2U Authentication Requests

Allow

Network Security Do Not Store LAN Manager Hash Value On Next Password Change

Enable

Network Security LAN Manager Authentication Level

Send LM and NTLMv2 responses only. Refuse LM and NTLM

Network Security Minimum Session Security For NTLMSSP Based Clients

Require NTLM and 128-bit encryption

Network Security Minimum Session Security For NTLMSSP Based Servers

Require NTLM and 128-bit encryption

Network Security Restrict NTLM Audit Incoming NTLM Traffic

Enable auditing for all accounts

User Account Control Behavior Of The Elevation Prompt For Administrators

Prompt for consent on the secure desktop

User Account Control Behavior Of The Elevation Prompt For Standard Users

Prompt for credentials on the secure desktop

User Account Control Detect Application Installations And Prompt For Elevation

Enable

User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations

Enabled: Application runs with UIAccess integrity only if it resides in secure location.

User Account Control Run All Administrators In Admin Approval Mode

Enabled

User Account Control Switch To The Secure Desktop When Prompting For Elevation

Enabled

User Account Control Use Admin Approval Mode

Enable

User Account Control Virtualize File And Registry Write Failures To Per User Locations

Enabled

Accounts Enable Administrator Account Status

Enable

Microsoft App Store

Allow apps from the Microsoft app store to auto update

Allowed.

Allow Game DVR

Block

MSI Allow User Control Over Install

Disabled

MSI Always Install With Elevated Privileges

Disabled

MSI Always Install With Elevated Privileges (User)

Disabled

Privacy

Allow Input Personalization

Block

Let Apps Activate With Voice Above Lock

Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.

Search

Allow Indexing Encrypted Stores Or Items

Block

Allow Search To Use Location

Block

Smart Screen

Enhanced Phishing Protection

Notify Malicious

Enabled

Notify Password Reuse

Enabled

Notify Unsafe App

Enabled

Service Enabled

Enabled

System

Allow device name to be sent in Windows diagnostic data

Allowed.

Allow Telemetry

Full

Enable One Settings Auditing

Enabled.

Limit Diagnostic Log Collection

Enabled.

Limit Dump Collection

Enabled.

System Services

Configure Xbox Accessory Management Service Startup Mode

Disabled

Configure Xbox Live Auth Manager Service Startup Mode

Disabled

Configure Xbox Live Game Save Service Startup Mode

Disabled

Configure Xbox Live Networking Service Startup Mode

Disabled

User Rights

Access Credential Manager As Trusted Caller

(<![CDATA[]]>)

Access From Network

*S-1-5-32-544;*S-1-5-32-555

Act As Part Of The Operating System

(<![CDATA[]]>)

Allow Local Log On

*S-1-5-32-544;*S-1-5-32-545

Backup Files And Directories

*S-1-5-32-544

Change System Time

*S-1-5-32-544;*S-1-5-19

Create Global Objects

*S-1-5-32-544;*S-1-5-19;*S-1-5-20;*S-1-5-6

Create Page File

*S-1-5-32-544

Create Permanent Shared Objects

(<![CDATA[]]>)

Create Symbolic Links

*S-1-5-32-544;*S-1-5-83-0

Create Token

(<![CDATA[]]>)

Debug Programs

*S-1-5-32-544

Deny Access From Network

*S-1-5-32-546;*S-1-5-113

Deny Local Log On

*S-1-5-32-546

Deny Remote Desktop Services Log On

*S-1-5-32-546;*S-1-5-113

Enable Delegation

(<![CDATA[]]>)

Generate Security Audits

*S-1-5-19;*S-1-5-20

Impersonate Client

*S-1-5-32-544;*S-1-5-19;*S-1-5-20;*S-1-5-6

Increase Scheduling Priority

*S-1-5-32-544;*S-1-5-90-0

Load Unload Device Drivers

*S-1-5-32-544

Lock Memory

(<![CDATA[]]>)

Manage Auditing And Security Log

*S-1-5-32-544

Manage Volume

*S-1-5-32-544

Modify Firmware Environment

*S-1-5-32-544

Modify Object Label

(<![CDATA[]]>)

Profile Single Process

*S-1-5-32-544

Remote Shutdown

*S-1-5-32-544

Restore Files And Directories

*S-1-5-32-544

Take Ownership

*S-1-5-32-544

Virtualization Based Technology

Hypervisor Enforced Code Integrity

(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.

Require UEFI Memory Attributes Table

Require UEFI Memory Attributes Table

Widgets

Allow widgets

Not allowed.

Windows Defender Security Center

Disallow Exploit Protection Override

(Enable) Local users cannot make changes in the exploit protection settings area.

Windows Hello For Business

Facial Features Use Enhanced Anti Spoofing

true

Device-scoped settings

  Require Security Device

true

  Minimum PIN Length

6

Windows Ink Workspace

Allow Windows Ink Workspace

ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.

Devicie Template Name

Security Baseline (Device)

Default Intune Deployed Name

DEVICIE-PROD-Security Baseline (Device)

Version

1.0

Template Last Updated

Nov 18, 2024

Document Status:

DRAFT

Document Last Updated:

Apr 10, 2025