Security baseline for Windows 10 “Creators Update” (v1703) – FINAL

Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form.

Download the content from the Microsoft Security Compliance Toolkit (click Download and select Windows 10 Version 1703 Security Baseline.zip).

This updated content will be incorporated into the Security Compliance Toolkit shortly. (Note that the Security Compliance Manager tool has been retired.)

The differences in this baseline from the v1703 draft version are:

• The security settings that disallowed Internet Explorer from using downloaded fonts in the Internet and Restricted Sites zones have been removed. This change in IE11 recommendations applies only to Windows 10, and is possible because of Windows 10's additional mitigations as described in the blog post, Dropping the "Untrusted Font Blocking" setting .
• The enforcement of the default for the User Rights Assignment, Generate security audits (SeAuditPrivilege) , has been removed. Enforcing the default does not mitigate contemporary security threats, and hampers the functionality of programs such as System Center Operations Manager (SCOM) that need to change the default.
• We are enabling the setting, "Do not suggest third-party content in Windows spotlight" in User Configuration\Administrative Templates\Windows Components\Cloud Content. Enabling this setting is consistent with our having previously enabled "Turn off Microsoft consumer experiences."

Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback.

Comments

• Anonymous
  September 01, 2017
  Will the Security Compliance Manager updated accordingly?[Aaron Margosis] No - that tool has been retired.
• Anonymous
  September 07, 2017
  will corresponding baselines for windows server 2016 be made available?
• Anonymous
  September 10, 2017
  I've used this settings (client_install with lgpo) then after two boots I couldn't enter my pc. I enter my password on login screen, it accepts and directly says "User profile service failed the logon User profile cannot be loaded" and turns back to login screen.Also I couldn't find the reason but I can't reach safe mode with "shift + power", "f8 on boot" or "CAD". I had windows install usb, from setup screen I used system recovery. After the recovery still can't.Any ideas?
• Anonymous
  September 15, 2017
  Your domain settings have users change 14 character complex passwords every 60 days. This against the "Microsoft Password Guidance" document by Robyn Hicock, and against new NIS guidelines. Why?[Aaron Margosis] Group Policy and other settings available within Windows don't offer a way to implement those guidelines.
• Anonymous
  October 12, 2017
  Wait ... you recommend to enable "Do not suggest third-party content in Windows spotlight" after you removed it from Windows 10 Pro? You do see the hypocrisy that, do you?[Aaron Margosis] Help me out. I have no idea what you're talking about. Thanks.
• Anonymous
  November 03, 2017
  Can these baselines be used in SCCM configuration items?[Aaron Margosis] I'm not aware at the moment of a tool that can represent these GPOs in their entirely in the DCM format. We are working on a solution that will address the gap of compliance checking.
• Anonymous
  November 27, 2018
  Aaron,I believe you are incorrect. See below for how to implement the following recommendations. These are located under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.Microsoft Password Guidance (https://www.microsoft.com/en-us/research/publication/password-guidance/)Robyn Hicock, rhicock@microsoft.comMicrosoft Identity Protection Team1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).• Minimum password length ≥ 82. Eliminate character-composition requirements.• Password must meet complexity requirements = Disabled3. Eliminate mandatory periodic password resets for user accounts.• Maximum password age = 0[Aaron Margosis] Yes, but you're leaving out these:4. Ban common passwords, to keep the most vulnerable passwords out of your system.5. Educate your users not to re-use their password for non-work-related purposes.6. Enforce registration for multi-factor authentication.7. Enable risk based multi-factor authentication challenges.If you implement the first three without the last four -- especially #4 -- you'll be worse off than if you stick with the baseline settings.