How to use the Windows 10 Security baseline

Jonathan LefebvreWINDOWS 106 Comments

Microsoft has been releasing Security baseline since the Windows XP days. Windows 10 is no exception to this, except now there’s a new release of security baseline following each major build of Windows 10. The concept of the Security Baseline is to provide Microsoft guidance for IT administrators on how to secure the operating system, by using GPOs, in the following areas :

  • Computer security
  • User security
  • Internet Explorer
  • BitLocker
  • Credential Guard
  • Windows Defender Antivirus
  • Domain Security

Implementing the security baseline in GPOs is not a complex or long task. The challenge that the security baseline provide is that it will expose areas of the environment that are not secure.

This means that to follow all Microsoft security guidelines, it would be required to fix many other systems outside of Windows 10 to achieve this.

In this post, we will describe what is the Security baseline, how to use them and key points that will most likely be challenging for other systems in the environment

Prerequisites

  • Download the Security Baseline zip file that matches the Windows 10 version
    • A new version is released for each Windows 10 major build. First in draft and then for production, in the same link
    • Baselines are backward compatible, newer version provides mostly new GPOs to support Windows 10 newest features

Windows 10 Security baseline

  • Security access for Group Policy Management

Windows 10 Security Baseline Files

  • The downloaded zip file contains all the required bits to help implement the baseline in your environment.

Windows 10 Security baseline

  • Documentation folder contains a large Excel file with all the details of every configuration part of the baseline

Windows 10 Security baseline

  • GP Reports folder contains HTML report of GPO templates available as part of the Windows 10 Security Baseline

Windows 10 Security baseline

  • GPOs folder contain the actual GPO files that can be imported in the Group Policy Management console

Windows 10 Security baseline

  • Local_Script folder contains a script to install the security baseline into the local policy for Windows 10
    • this is more for testing the actual configuration

Windows 10 Security baseline

  • Templates contain ADML and ADMX files for additional settings in the GPOs

Windows 10 Security baseline

  • WMI Filters folder contains two WMI filters: Windows 10 and Internet Explorer 11

Windows 10 Security baseline

How to use Windows 10 Security Baseline

Add Templates to Central Store

  • Copy the ADMX from the Templates to the GPO Central Store

Windows 10 Security baseline

  • Copy the ADML from the templates to the GPO Central Store EN-US subfolder

Windows 10 Security baseline

Important Info
If you are not familiar with the Central Store for GPO, please see Microsoft documentation

Import GPOs

  • Create a new blank GPO

Windows 10 Security baseline

  • Right-click on the GPO, and select Import Settings

Windows 10 Security baseline

  • Click Next

Windows 10 Security baseline

  • Click Next, no need to take a backup of a new blank GPO.

Windows 10 Security baseline

  • Browse to the GPOs  folder and click Next

Windows 10 Security baseline

  • Select the GPO to be imported, based on the name and click Next

Windows 10 Security baseline

  • Click Next

Windows 10 Security baseline

  • Select  Copying them identically from the source and click next

Windows 10 Security baseline

  • Click Finish

Windows 10 Security baseline

  • Click the Settings tab to see all the configuration imported

Windows 10 Security baseline

Once the GPOs are imported, testing is key!

No magic trick here, start with test computers and then IT users/pilot users prior to applying this to production.

Key points that provide challenges

Here are some configurations that are part of the baseline that should be looked at up front as they might provide issues with your environment. The idea here is to have a better understanding of what is going on. Don’t go and change those settings to avoid issues. The issues should be fixed at the other end for better security.

Hardened UNC path

This setting is likely to give the following error when trying to process GPO on Windows 10.

Error
The processing of Group Policy failed. Windows attempted to read the file \\yourdomain.fqdn\sysvol\yourdomain.fqdn\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful.

The configuration Computer/Administrative Template/Network/Network Provider/Hardened UNC Path

Windows 10 Security baseline

Review the following post by Lee Stevens for details on the UNC hardening path to help define this setting for your environment

Internet Explorer process only computer GPO

If you have user GPO for Internet Explorer, in the Security Zone, adding the baseline for Internet Explorer will prevent those settings to be applied.

Windows 10 Security baseline

Two options are available if this causes issue:

  • Move your Internet Explorer configuration to computer GPO instead of user GPO
  • Change the configuration back to Not Configured for this GPO

More details on this KB from Microsoft

User Account Control

The user account control (UAC) is configured to the maximum level with the Security Baseline.

Windows 10 Security baseline

The default Windows 10 level is set to  Notify me only when applications try to make changes to my computer (level 3 out of 4)

Windows 10 Security baseline

This is configured by a local security policy

Windows 10 Security baseline

To modify the GPO, under the Windows 10 Computer GPO Computer/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control

Windows 10 Security baseline

Credential guard 

Having Credential guard in Windows 10 is categorized as a quick win solution as the requirement and setup is easy.

The default configuration as part of MSFT Windows 10 and Server 2016 – Credential Guard GPO is configured in a way that is likely to crash the computer or have an undesired requirement for future needs if applied as is.

Windows 10 Security baseline

We strongly recommend to carefully read the Help section of the Computer/Administrative Templates/System/Device Guard/Turn On Virtualization based security GPO

To take advantage of Credential Guard safely,  this would be the required configuration.

Windows 10 Security baseline

SMB v1

This topic is the most important of all key points. With Windows 10 v1709, SMB v1 is disabled by default. But what if you still need this in your environment?

Let me make this clear, we do not recommend enabling SMB v1.  It has been proven to be one of the most critical security hole as of late with malware like WannaCry.

On the other hand, sometimes we don’t have much choice to go against security.

So to leave SMB v1 enabled as part of the security baseline GPO, we suggest reading the following blog post by Aaron Margosis

The GPO settings for SMB v1 are under Computer/Administrative Templates/MS Security Guide

Windows 10 Security baseline

Issue with BitLocker on Windows 10 1709

The  MSFT Windows 10 RS3 – BitLocker GPO contains a setting to Disable new DMA devices, that broke some computer.

See the following blog post by Aaron Margosis for details on the issue.

The setting Computer/Administrative Templates/Windows Components/BitLocker Drive Encryption/Disable new DMA devices when this computer is locked, should be reviewed prior to being applied.

Windows 10 Security baseline

What to do when a new version of Security baseline is available?

A new version of Security baseline usually come out at the same time as a Windows 10 build goes RTM.

Microsoft has always released them as a DRAFT version that goes on for a couple months and then release the FINAL version.

Here’s a checklist for what to do when the new version is available :

  • Start by reviewing the Excel file to see what’s new to the baseline
    • Most of the new settings in the baseline will be in line with new features as part of the Windows 10 release

Windows 10 Security baseline

  • Update ADMX in the Central store with the ones from the latest Windows 10 build prior to adding new settings
  • New settings should then be added to your environment by one of the following :
    • Import the new GPOs
    • Add new settings to current GPO

Follow us on Twitter to get a notification when a new version of the Security baseline is released.

Bonus Tip

The Policy Analyzer is a great tool to compare current GPOs against the ones from the Security Baseline.

This can give an idea of the conflicting settings as well as additional settings from the Security Baseline

Windows 10 Security baseline

Share this Post

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

6 Comments on “How to use the Windows 10 Security baseline”

  1. Thanks for the article Jonathan, quick question, I don’t get all the settings in Administrative Template after importing “MSFT Windows 10 RS3 – Computer”. I only get; LAPS, MS Security Guide, MSS (Legacy), Extra Registry Settings! Not sure why!

    Thanks
    Jesus

  2. Hello,
    excellent article. (as always btw)

    I’m join Mark Payne with question “how about SCCM?”

    Baseline configuration to apply this thing will be very helpful…. and even further…. guide to apply baseline to intune clients?

  3. Man! This article could not have come at a better time. I have been tasked with implementing a baseline for our devices. I have downloaded some these baselines, and must admit I didn’t really understand how to implement. This article is a great help to begin to understand how to use and deploy. It was mentioned the baseline is backward compatible. So the 1709 baseline can be imported to cover the earlier Win10 builds?

    1. Hi Quinn,
      thanks for the feedback 🙂

      Yes they are backward compatible because most GPO are targeted to Windows 10…. Some of the newer settings are requiring 1709, but those are new feature from this build, so they have no impact on previous builds.

      Jonathan

Leave a Reply

Your email address will not be published. Required fields are marked *